CVE-2025-49005
LOWDescription
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. This issue has been resolved in Next.js 15.3.3.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| vercel | next.js |
| vercel | vercel |
References
Advisories & Patches
Exploits
Other References
Frequently Asked Questions
What is CVE-2025-49005? +
How severe is CVE-2025-49005? +
What products are affected by CVE-2025-49005? +
How do I check if I'm vulnerable to CVE-2025-49005? +
Related Vulnerabilities
Member Login Script 3.3 contains a client-side desynchronization vulnerability that allows attackers to manipulate HTTP request handling by exploiting Content-Length …
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Quest Coexistence Manager for Notes (Free/Busy Connector modules) allows HTTP …
Connection desynchronization between an HTTP proxy and the model backend. The fixes were rolled out for all proxies in front …
An HTTP Request Smuggling [CWE-444] vulnerability in the Authentication portal of WatchGuard Fireware OS allows a remote attacker to evade …
This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by sending …
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing …