By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-32421

Cache Poisoning
Affects
Next.js
in
Next.js
No items found.
Versions
<14.2.24, >=15.0.0 <15.1.6
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Next.js is a React framework for building web applications.

CVE-2025-32421 is a vulnerability in Next.js that affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML. The issue arises from a race condition between page and data requests, which, under certain misconfigured CDN caching scenarios, can lead to cache poisoning.

Per OWASP: Cache poisoning is an attack in which an adversary injects malicious or manipulated content into a cache—such as a CDN, reverse proxy, or web application cache—so that when legitimate clients later request that resource, they receive the poisoned content.

This issue affects all versions of Next.js less than 14.2.24 and 15.x versions less than 15.1.6.

Details

Module Info

Vulnerability Info

This Low-severity vulnerability is found in the main next package in the affected versions of the Next.js framework.

An attacker can exploit a timing issue and inject a ?__nextDataRequest=1 query parameter along with a forged x-now-route-matches header to trick the server into returning JSON data normally reserved for hydration. If this response is cached under the base route instead of the full URL, it can serve JSON to normal HTML visitors, disrupting client behavior or leaking data.

Mitigation

Next.js v13 and older versions have reached End-of-Life and will not receive any updates to address this issue.

Fixes are available in the latest versions of 14 and 15.  For older versions or for all other vulnerabilities in versions earlier than 14, users should apply one of the following mitigations:=

Users of the affected components should apply one of the following mitigations:

  • Migrate to the latest version of Next.js
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
  • For self-hosted Next.js deployments unable to upgrade immediately, Vercel recommends that you can mitigate this vulnerability by:
    • Stripping the x-now-route-matches header from all incoming requests at your CDN
    • Setting cache-control: no-store for all responses under risk

Credits

  • Allam Rachid (zhero)

Pink arrow
Pink arrow
CVE-2024-47831
CVE-2024-51479
CVE-2025-29927
CVE-2023-46298
CVE-2025-32421
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-32421
PROJECT Affected
Next.js
Versions Affected
<14.2.24, >=15.0.0 <15.1.6
Published date
June 17, 2025
≈ Fix date
February 10, 2025
Fixed in
Next.js NES
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
Category
Cache Poisoning
Sign up for the latest vulnerability alerts fixed in
Next.js NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.