Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition

Key Takeaways
1. Next.js versions 15.1.0-15.1.8 have a cache poisoning bug causing DoS attacks through blank page delivery.
2. Needs affected Next.js version + ISR with cache revalidation + SSR with CDN caching 204 responses.
3. Race condition allows HTTP 204 responses to be cached for static pages, serving empty content to all users.
4. Update to Next.js 15.1.8+ immediately - the vulnerability is fully patched.

A critical security vulnerability identified as CVE-2025-49826 has been discovered in Next.js, the popular React-based web framework, allowing attackers to exploit cache poisoning mechanisms to trigger Denial of Service (DoS) conditions. 

The vulnerability, reported by security researchers Allam Rachid (zhero) and Allam Yasser (inzo_), affects Next.js versions ranging from 15.1.0 to 15.1.8, prompting immediate security updates from the development team.

Next.js DoS Vulnerability

The vulnerability stems from a cache poisoning bug that manipulates the framework’s response caching mechanism, specifically targeting HTTP 204 responses in static page rendering. 

Under specific conditions, the flaw allows malicious actors to poison the cache with empty responses, causing legitimate users to receive blank pages instead of proper content.

For the vulnerability to be exploitable, three critical conditions must be met simultaneously: deployment of an affected Next.js version (>=15.1.0 <15.1.8), utilization of Incremental Static Regeneration (ISR) with cache revalidation in production mode (next start or standalone deployment), and implementation of Server-Side Rendering (SSR) with a Content Delivery Network (CDN) configured to cache 204 responses.

The attack vector exploits a race condition in Next.js’s shared response object mechanism, where the framework incorrectly processes and caches HTTP 204 status codes. 

When successfully executed, this cache poisoning technique results in persistent DoS conditions, as the cached empty response gets served to all subsequent users attempting to access the affected static pages. 

The vulnerability’s impact is particularly severe for high-traffic applications relying on ISR for performance optimization.

Remediation

The Next.js development team has addressed the vulnerability through comprehensive code modifications targeting the root cause of the cache poisoning mechanism. 

The primary fix involved removing the problematic code path responsible for setting incorrect 204 responses in the static page rendering pipeline. 

Additionally, developers eliminated the race condition by restructuring the response caching architecture to no longer rely on shared response objects for populating the Next.js response cache.

Security experts recommend immediate migration to Next.js version 15.1.8 or later, which includes the complete resolution for CVE-2025-49826. 

Organizations using affected versions should prioritize updating their dependencies and conducting thorough testing of their ISR and SSR implementations. 

Notably, applications hosted on Vercel’s platform remain unaffected due to the platform’s infrastructure design that prevents this specific attack vector.

Development teams should implement comprehensive security monitoring for their Next.js applications, particularly focusing on cache behavior anomalies and unexpected 204 response patterns that could indicate ongoing exploitation attempts.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now