A low severity cache poisoning vulnerability was discovered in Next.js.
Link to headingSummary
This affects versions >14.2.24 through <15.1.6 as a bypass of the previous CVE-2024-46982. The issue happens when an attacker exploits a race condition between two requests — one containing the?__nextDataRequest=1 query parameter and another with the x-now-route-matches header.
Some CDN providers may cache a 200 OK response even in the absence of explicit cache-control headers, enabling a poisoned response to persist and be served to subsequent users.
Link to headingAffected Versions
Next.js versions
>14.2.24through<15.1.6
Link to headingImpact
This vulnerability allows an attacker to poison the CDN cache by injecting the response body from a non-cacheable data request (?__nextDataRequest=1) into a normal request that retains cacheable headers, such as Cache-Control: public, max-age=300.
No backend access or privileged escalation is possible through this vulnerability.
This issue was verified using automated tooling that repeatedly triggers the race condition. Successful exploitation depends on precise timing and the presence of a vulnerable CDN configuration. A Python-based proof of concept script was shared by the reporter and used to validate this behavior on live targets prior to the patch.
Link to headingPatches
This issue was patched in 15.1.6 and 14.2.24 by stripping the x-now-route-matches header from incoming requests.
Link to headingVercel Platform Mitigation
Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on 200 OK status without explicit cache-control headers.
Link to headingWorkarounds
For self-hosted Next.js deployments unable to upgrade immediately, you can mitigate this vulnerability by:
Stripping the
x-now-route-matchesheader from all incoming requests at your CDNSetting
cache-control: no-storefor all responses under risk
We strongly recommend only caching responses with explicit cache-control headers.
Link to headingCredit
Thank you to Allam Rachid (zhero;) for the responsible disclosure. They were awarded as part of our bug bounty program.