216.73.216.215

CVE-2025-49005

· Published 03/07/2025 21:15 · Modified 03/07/2025 21:15

Labels: CVE-2025-49005 2025-07-03CVE-2025-49005CWE-444[email protected]

Essential information

Published
03/07/2025 21:15
Modified
03/07/2025 21:15
Author
Creator
CVSS
3.7 LOW (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS metrics

Description

Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. This issue has been resolved in Next.js 15.3.3.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
next.js / next.js cpe:2.3:a:next.js:next.js:15.3.0-15.3.2:*:*:*:*:*:*:*
vercel / vercel cli cpe:2.3:a:vercel:vercel_cli:41.4.1-42.1.9:*:*:*:*:*:*:*

References