Next.js Flaw (CVE-2025-49826, CVSS 7.5): Cache Poisoning Leads to Denial-of-Service

A cache poisoning vulnerability (CVE-2025-49826) with a CVSS score of 7.5 has been disclosed in Next.js, the popular React-based web development framework. The flaw, found in versions >=15.1.0 <15.1.8, could be exploited under specific conditions to cause a Denial of Service (DoS) by unintentionally caching HTTP 204 responses for static pages.

“Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page,” the security advisory stated.

The root of the issue lies in the cache revalidation logic for Incremental Static Regeneration (ISR). If a site was deployed using an affected version of Next.js and met the following conditions, it became susceptible:

• Routes using cache revalidation with ISR in next start or standalone mode.
• Routes using Server-Side Rendering (SSR), combined with a CDN that caches 204 responses.

This caused a 204 No Content response — which typically signals no body content — to be erroneously cached and served to all users visiting the page. That could translate to entire pages failing to render properly across a site, effectively resulting in a service blackout for critical user-facing content.

The Next.js team patched the issue in version 15.2.0 and also backported a fix to 15.0.4. The fix removed the code path responsible for setting 204 responses and addressed a potential race condition that used a shared response object in cache logic.

“We removed the race condition that could have led to this cache poisoning by no longer relying on a shared response object to populate the Next.js response cache,” the advisory states.

If you’re running a self-hosted or on-prem version of Next.js between 15.1.0 and 15.1.7, upgrade immediately to 15.2.0 or later. If you’re using an earlier major version, ensure you’re on 15.0.4 or below.

Also review your CDN configuration to ensure that unexpected 204 responses are not being cached — especially if you utilize Server-Side Rendering or ISR with custom cache rules.

Related Posts:

• Next.js Vulnerability CVE-2024-46982: Cache Poisoning Exploit Threatens Deployments
• CVE-2024-51479: Next.js Authorization Bypass Vulnerability Affects Millions of Developers
• CVE-2025-48947: Session Cookies at Risk in Auth0 Next.js SDK
• Urgent: Patch Your Next.js for Authorization Bypass (CVE-2025-29927)
• Next.js Patches Denial-of-Service Vulnerability (CVE-2024-56332) in Server Actions