{"id":5132,"date":"2025-07-05T10:04:06","date_gmt":"2025-07-05T10:04:06","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/07\/05\/next-js-cache-poisoning-vulnerability-let-attackers-trigger-dos-condition\/"},"modified":"2025-07-05T10:04:06","modified_gmt":"2025-07-05T10:04:06","slug":"next-js-cache-poisoning-vulnerability-let-attackers-trigger-dos-condition","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/07\/05\/next-js-cache-poisoning-vulnerability-let-attackers-trigger-dos-condition\/","title":{"rendered":"Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition"},"content":{"rendered":"

Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n
Key Takeaways<\/strong>
<\/mark>1. Next.js versions 15.1.0-15.1.8 have a cache poisoning bug causing DoS attacks through blank page delivery.
2. Needs affected Next.js version + ISR with cache revalidation + SSR with CDN caching 204 responses.
3. Race condition allows HTTP 204 responses to be cached for static pages, serving empty content to all users.
4. Update to Next.js 15.1.8+ immediately - the vulnerability is fully patched.<\/pre>\n
A critical security vulnerability identified as CVE-2025-49826 has been discovered in Next.js, the popular React-based web framework, allowing attackers to exploit cache poisoning mechanisms to trigger Denial of Service (DoS) conditions.\u00a0<\/p>\n
The vulnerability, reported by security researchers Allam Rachid (zhero) and Allam Yasser (inzo_), affects Next.js versions ranging from 15.1.0 to 15.1.8, prompting immediate security updates from the development team.<\/p>\n
Next.js DoS Vulnerability<\/strong><\/h2>\n
The vulnerability stems from a cache poisoning<\/a> bug that manipulates the framework\u2019s response caching mechanism, specifically targeting HTTP 204 responses in static page rendering.\u00a0<\/p>\n
Under specific conditions, the flaw allows malicious actors to poison the cache with empty responses, causing legitimate users to receive blank pages instead of proper content.<\/p>\n
For the vulnerability to be exploitable, three critical conditions must be met simultaneously: deployment of an affected Next.js version (>=15.1.0 <15.1.8), utilization of Incremental Static Regeneration (ISR) with cache revalidation in production mode (next start or standalone deployment), and implementation of Server-Side Rendering (SSR) with a Content Delivery Network (CDN) configured to cache 204 responses.<\/p>\n
The attack vector exploits a race condition in Next.js\u2019s shared response object mechanism, where the framework incorrectly processes and caches HTTP 204 status codes.\u00a0<\/p>\n
When successfully executed, this cache poisoning technique results in persistent DoS conditions, as the cached empty response gets served to all subsequent users attempting to access the affected static pages.\u00a0<\/p>\n
The vulnerability\u2019s impact is particularly severe for high-traffic applications relying on ISR for performance optimization.<\/p>\n
\n\n\n\n\n\n\n\n
Risk Factors<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
Affected Products<\/td>\n\nNext.js<\/a> versions \u226515.1.0 <15.1.8<\/td>\n<\/tr>\n
Impact<\/td>\nCache poisoning leading to Denial of Service (DoS) condition<\/td>\n<\/tr>\n
Exploit Prerequisites<\/td>\n1. Using affected Next.js version (\u226515.1.0 <15.1.8)2. Route using cache revalidation with ISR (next start or standalone mode)3. Route using SSR with CDN configured to cache 204 responses<\/td>\n<\/tr>\n
CVSS 3.1 Score<\/td>\n7.5 (High)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
Remediation<\/strong><\/h2>\n
The Next.js development team has addressed<\/a> the vulnerability through comprehensive code modifications targeting the root cause of the cache poisoning mechanism.\u00a0<\/p>\n
The primary fix involved removing the problematic code path responsible for setting incorrect 204 responses in the static page rendering pipeline.\u00a0<\/p>\n
Additionally, developers eliminated the race condition by restructuring the response caching architecture to no longer rely on shared response objects for populating the Next.js response cache.<\/p>\n
Security experts recommend immediate migration to Next.js version 15.1.8 or later, which includes the complete resolution for CVE-2025-49826.\u00a0<\/p>\n
Organizations using affected versions should prioritize updating their dependencies and conducting thorough testing of their ISR and SSR implementations.\u00a0<\/p>\n
Notably, applications hosted on Vercel\u2019s platform remain unaffected due to the platform\u2019s infrastructure design that prevents this specific attack vector.<\/p>\n
Development teams should implement comprehensive security monitoring for their Next.js applications<\/a>, particularly focusing on cache behavior anomalies and unexpected 204 response patterns that could indicate ongoing exploitation attempts.<\/p>\n
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now<\/strong><\/a>\u00a0<\/p>\n
The post Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
 \t

\n 
<\/BR>
\n    Guru Baran
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition Key Takeaways1. Next.js versions 15.1.0-15.1.8 have a cache poisoning bug causing DoS attacks through blank page delivery.2. Needs affected Next.js version + ISR with cache revalidation + SSR with CDN caching 204 responses.3. Race condition allows HTTP 204 responses to be cached for static pages, serving […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,1438,1494,131],"tags":[130],"class_list":["post-5132","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-dos-attack","category-next-js","category-vulnerability","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5132"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=5132"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5132\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=5132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=5132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=5132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}