CVE-2025-49826
published 2025-07-03CVE-2025-49826: Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.80%
52.0th percentile
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 15.0.4-canary.51 < 15.1.8 | 15.1.8 |
| vercel | next.js | < 15.1.8 | 15.1.8 |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Next.JS vulnerability can lead to DoS via cache poisoning
osv·2025-07-03·CVSS 7.5
CVE-2025-49826 [HIGH] Next.JS vulnerability can lead to DoS via cache poisoning
Next.JS vulnerability can lead to DoS via cache poisoning
### Summary
A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.
Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page
More details: [CVE-2025-49826](https://vercel.com/changelog/cve-2025-49826)
## Credits
- Allam Rachid [zhero;](https://zhero-web-sec.github.io/research-and-things/)
- Allam Yasser (inzo)
GHSA
Next.JS vulnerability can lead to DoS via cache poisoning
ghsa·2025-07-03·CVSS 7.5
CVE-2025-49826 [HIGH] CWE-444 Next.JS vulnerability can lead to DoS via cache poisoning
Next.JS vulnerability can lead to DoS via cache poisoning
### Summary
A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.
Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page
More details: [CVE-2025-49826](https://vercel.com/changelog/cve-2025-49826)
## Credits
- Allam Rachid [zhero;](https://zhero-web-sec.github.io/research-and-things/)
- Allam Yasser (inzo)
Red Hat
nextjs: Next.js denial of service
vendor_redhat·2025-07-03·CVSS 7.5
CVE-2025-49826 [HIGH] CWE-444 nextjs: Next.js denial of service
nextjs: Next.js denial of service
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.
A denial of service flaw was found in Next.js. In certain situations, this issue may lead to an HTTP 204 response being cached for static pages, which can result in the 204 response being provided to all users trying to access the page.
Statement: This flaw will on
No detection rules found.
No public exploits indexed.
2025-07-03
Published