Bug 2477168 (CVE-2026-44572) - CVE-2026-44572 next.js: Next.js: Denial of Service due to improper handling of x-nextjs-data header with redirects
Summary: CVE-2026-44572 next.js: Next.js: Denial of Service due to improper handling o...
Keywords:
Status: NEW
Alias: CVE-2026-44572
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2481136 2481137 2481138 2481139 2481134 2481135
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-13 17:02 UTC by OSIDB Bzimport
Modified: 2026-05-25 07:47 UTC (History)
16 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-13 17:02:06 UTC 
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.
Note You need to log in before you can comment on or make changes to this bug.