Key Takeaways1. Subsequent.js variations 15.1.0-15.1.8 have a cache poisoning bug inflicting DoS assaults via clean web page supply.2. Wants affected Subsequent.js model + ISR with cache revalidation + SSR with CDN caching 204 responses.3. Race situation permits HTTP 204 responses to be cached for static pages, serving empty content material to all customers.4. Replace to Subsequent.js 15.1.8+ instantly – the vulnerability is totally patched.
A important safety vulnerability recognized as CVE-2025-49826 has been found in Subsequent.js, the favored React-based net framework, permitting attackers to use cache poisoning mechanisms to set off Denial of Service (DoS) circumstances.
The vulnerability, reported by safety researchers Allam Rachid (zhero) and Allam Yasser (inzo_), impacts Subsequent.js variations starting from 15.1.0 to fifteen.1.8, prompting fast safety updates from the event crew.
Subsequent.js DoS Vulnerability
The vulnerability stems from a cache poisoning bug that manipulates the framework’s response caching mechanism, particularly focusing on HTTP 204 responses in static web page rendering.
Below particular circumstances, the flaw permits malicious actors to poison the cache with empty responses, inflicting reliable customers to obtain clean pages as a substitute of correct content material.
For the vulnerability to be exploitable, three important circumstances should be met concurrently: deployment of an affected Subsequent.js model (>=15.1.0 <15.1.8), utilization of Incremental Static Regeneration (ISR) with cache revalidation in manufacturing mode (subsequent begin or standalone deployment), and implementation of Server-Aspect Rendering (SSR) with a Content material Supply Community (CDN) configured to cache 204 responses.
The assault vector exploits a race situation in Subsequent.js’s shared response object mechanism, the place the framework incorrectly processes and caches HTTP 204 standing codes.
When efficiently executed, this cache poisoning method ends in persistent DoS circumstances, because the cached empty response will get served to all subsequent customers trying to entry the affected static pages.
The vulnerability’s affect is especially extreme for high-traffic functions counting on ISR for efficiency optimization.
Danger FactorsDetailsAffected ProductsNext.js variations ≥15.1.0 <15.1.8ImpactCache poisoning resulting in Denial of Service (DoS) conditionExploit Prerequisites1. Utilizing affected Subsequent.js model (≥15.1.0 <15.1.8)2. Route utilizing cache revalidation with ISR (subsequent begin or standalone mode)3. Route utilizing SSR with CDN configured to cache 204 responsesCVSS 3.1 Score7.5 (Excessive)
Remediation
The Subsequent.js improvement crew has addressed the vulnerability via complete code modifications focusing on the foundation reason behind the cache poisoning mechanism.
The first repair concerned eradicating the problematic code path accountable for setting incorrect 204 responses within the static web page rendering pipeline.
Moreover, builders eradicated the race situation by restructuring the response caching structure to not depend on shared response objects for populating the Subsequent.js response cache.
Safety consultants suggest fast migration to Subsequent.js model 15.1.8 or later, which incorporates the entire decision for CVE-2025-49826.
Organizations utilizing affected variations ought to prioritize updating their dependencies and conducting thorough testing of their ISR and SSR implementations.
Notably, functions hosted on Vercel’s platform stay unaffected because of the platform’s infrastructure design that stops this particular assault vector.
Growth groups ought to implement complete safety monitoring for his or her Subsequent.js functions, notably specializing in cache habits anomalies and surprising 204 response patterns that would point out ongoing exploitation makes an attempt.
Examine dwell malware habits, hint each step of an assault, and make quicker, smarter safety selections -> Attempt ANY.RUN now
