Blog / Changelog

CVE-2025-32421

2 min read

A low severity cache poisoning vulnerability was discovered in Next.js.

Link to headingSummary

This affects versions >14.2.24 through <15.1.6 as a bypass of the previous CVE-2024-46982. The issue happens when an attacker exploits a race condition between two requests — one containing the?__nextDataRequest=1 query parameter and another with the x-now-route-matches header.

Some CDN providers may cache a 200 OK response even in the absence of explicit cache-control headers, enabling a poisoned response to persist and be served to subsequent users.

Link to headingAffected Versions

  • Next.js versions >14.2.24 through <15.1.6

Link to headingImpact

This vulnerability allows an attacker to poison the CDN cache by injecting the response body from a non-cacheable data request (?__nextDataRequest=1) into a normal request that retains cacheable headers, such as Cache-Control: public, max-age=300.

No backend access or privileged escalation is possible through this vulnerability.

This issue was verified using automated tooling that repeatedly triggers the race condition. Successful exploitation depends on precise timing and the presence of a vulnerable CDN configuration. A Python-based proof of concept script was shared by the reporter and used to validate this behavior on live targets prior to the patch.

Link to headingPatches

This issue was patched in 15.1.6 and 14.2.24 by stripping the x-now-route-matches header from incoming requests.

Link to headingVercel Platform Mitigation

Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on 200 OK status without explicit cache-control headers.

Link to headingWorkarounds

For self-hosted Next.js deployments unable to upgrade immediately, you can mitigate this vulnerability by:

  • Stripping the x-now-route-matches header from all incoming requests at your CDN

  • Setting cache-control: no-store for all responses under risk

We strongly recommend only caching responses with explicit cache-control headers.

Link to headingCredit

Thank you to Allam Rachid (zhero;) for the responsible disclosure. They were awarded as part of our bug bounty program.

Ready to deploy? Start building with a free account. Speak to an expert for your Pro or Enterprise needs.

Start Deploying
Talk to an Expert

Explore Vercel Enterprise with an interactive product tour, trial, or a personalized demo.

Explore Enterprise