Next.js Vulnerability Allows Attackers to Trigger DoS via Cache Poisoning

A critical vulnerability, tracked as CVE-2025-49826, has been discovered and addressed in the popular React-based web framework, Next.js.

The flaw, present in versions >=15.1.0 and <15.1.8, allowed attackers to exploit a cache poisoning bug, potentially leading to a Denial of Service (DoS) condition for affected applications, as per a report by Vercel.

Technical Details

The vulnerability stemmed from improper handling of HTTP 204 responses in certain caching scenarios.

Under specific conditions, a 204 No Content response could be cached for static pages.

Once cached, this empty response would be served to all users attempting to access the affected page, effectively rendering the content inaccessible and causing a service blackout.

For the vulnerability to be exploitable, all the following had to be true:

• The application was running an affected version of Next.js (>=15.1.0, <15.1.8).
• The route used cache revalidation with Incremental Static Regeneration (ISR) in next start or standalone mode.
• The route used Server-Side Rendering (SSR) and was behind a CDN configured to cache 204 responses.

Notably, customers hosted on Vercel were not impacted by this issue.

If exploited, the vulnerability could allow an attacker to poison the cache with a 204 response.

This would result in all subsequent users receiving the empty response, causing a denial of service for the affected static or SSR pages. The issue was rated with a CVSS score of 7.5, indicating high severity.

The Next.js team responded swiftly by:

• Removing the problematic code path that could set a 204 response in the cache.
• Eliminating a race condition by no longer relying on a shared response object to populate the cache.

The fix was released in version 15.1.8. Users running self-hosted or on-premises deployments of Next.js between 15.1.0 and 15.1.7 are strongly advised to upgrade immediately.

Those on earlier major versions should ensure they are on 15.0.4 or below.

• Upgrade Next.js to version 15.1.8 or later.
• Review CDN configurations to ensure 204 responses are not cached for critical routes.
• Monitor for abnormal HTTP 204 responses in application logs.

Staying current with security updates is essential to protect web applications from emerging threats.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free