A security vulnerability, identified as CVE-2025-49826, has been discovered and patched in the popular React-based web framework Next.js.
The flaw affects versions 15.1.0 up to but not including 15.1.8, and centers on a cache poisoning bug that could lead to a Denial of Service (DoS) for end users.
The vulnerability is triggered under specific conditions: when an affected version of Next.js is used with routes utilizing Incremental Static Regeneration (ISR) in next start or standalone mode, or with Server-Side Rendering (SSR) routes in combination with a CDN configured to cache HTTP 204 responses.
If these conditions are met, a 204 No Content response could be erroneously cached for static pages.
This results in all users attempting to access the page being served a blank 204 response, effectively rendering critical content inaccessible and causing a service blackout for those pages.
Rapid Response and Remediation Guidance
The Next.js team responded by removing the problematic code path that allowed 204 responses to be cached and addressed an underlying race condition involving a shared response object in the cache logic.
The fix was released in Next.js version 15.2.0 and also backported to 15.0.4 for users on earlier major versions.
Developers running self-hosted or on-premises deployments of Next.js between versions 15.1.0 and 15.1.7 are urged to upgrade immediately to version 15.2.0 or later.
Those on earlier versions should ensure they are using 15.0.4 or below.
The issue does not impact customers hosted on Vercel’s managed platform.
As an additional precaution, teams should review CDN configurations to prevent caching of unexpected 204 responses, especially when using SSR or ISR with custom cache rules.
The discovery and responsible disclosure of this vulnerability are credited to security researchers Allam Rachid (zhero) and Allam Yasser (inzo_).
The vulnerability received a CVSS score of 7.5, indicating high severity.
This incident underscores the importance of prompt patch management and careful review of caching strategies in modern web applications.
Developers are encouraged to stay vigilant and ensure their frameworks and dependencies are kept up to date to mitigate similar risks in the future.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The flaw affects versions 15.1.0 up to but not including 15.1.8, and centers on a cache poisoning bug that could lead to a Denial of Service (DoS) for end users.){kind=link}