Description

Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. This issue has been resolved in Next.js 15.3.3.

INFO

Published Date :

2025-07-03T21:01:14.743Z

Last Modified :

2025-07-08T14:34:12.642Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-49005 vulnerability.

Vendors Products
Vercel
  • Next.js
  • Vercel
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-49005.

URL Resource
https://github.com/vercel/next.js/commit/ec202eccf05820b60c6126d6411fe16766ecc066 cve-icon cve-icon cve-icon
https://github.com/vercel/next.js/issues/79346 cve-icon cve-icon cve-icon cve-icon
https://github.com/vercel/next.js/releases/tag/v15.3.3 cve-icon cve-icon cve-icon
https://github.com/vercel/next.js/security/advisories/GHSA-r2fc-ccr8-96c4 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-49005 cve-icon
https://vercel.com/changelog/cve-2025-49005 cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-49005 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact