CVE-2025-49826
📋 TL;DR
A cache poisoning vulnerability in Next.js versions 15.0.4-canary.51 through 15.1.7 allows HTTP 204 responses to be cached for static pages. When exploited, this causes all subsequent users to receive empty 204 responses instead of the actual page content, resulting in denial of service. Only self-hosted Next.js deployments are affected; Vercel-hosted applications are not vulnerable.
💻 Affected Systems
- Next.js
📦 What is this software?
Next.js by Vercel
Next.js by Vercel
Next.js by Vercel
⚠️ Risk & Real-World Impact
Worst Case
Critical static pages become completely inaccessible to all users, causing extended service disruption until cache is cleared or patched.
Likely Case
Targeted static pages return empty 204 responses to users, effectively making those pages unavailable while the poisoned cache persists.
If Mitigated
With proper cache controls and monitoring, impact is limited to temporary page unavailability until cache TTL expires or manual intervention.
🎯 Exploit Status
Attack requires ability to trigger HTTP 204 responses for static pages, which could be achieved through various request manipulation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.1.8
Vendor Advisory: https://github.com/vercel/next.js/security/advisories/GHSA-67rr-84xm-4c7r
Restart Required: Yes
Instructions:
1. Update Next.js to version 15.1.8 or later using npm: 'npm update next@latest' or yarn: 'yarn upgrade next@latest'. 2. Restart your Next.js application. 3. Clear any existing cache to remove potentially poisoned entries.
🔧 Temporary Workarounds
Disable static page caching
allTemporarily disable caching for static pages to prevent cache poisoning
Configure Next.js to use 'cache-control: no-store' for static pages
Implement cache validation
allAdd cache validation middleware to prevent caching of 204 responses
Add middleware that checks response status before caching
🧯 If You Can't Patch
- Implement WAF rules to block requests that could trigger 204 responses for static pages
- Monitor cache hit rates and implement alerts for abnormal 204 response patterns
🔍 How to Verify
Check if Vulnerable:
Check package.json for Next.js version: if version is between 15.0.4-canary.51 and 15.1.7 inclusive, you are vulnerable.Check Version:
npm list next | grep next or check package.json for 'next' versionVerify Fix Applied:
After updating, verify Next.js version is 15.1.8 or higher and test that static pages no longer cache 204 responses.📡 Detection & Monitoring
Log Indicators:
- Unusual increase in HTTP 204 responses for static pages
- Cache hit patterns showing 204 responses being served for cached static content
Network Indicators:
- HTTP 204 responses for normally content-rich static pages
- Abnormal cache headers on static page responses
SIEM Query:
http.status_code=204 AND uri.path contains static page patterns AND user_agent not in [expected bots]