CVE-2026-44572
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Next.js is a popular open-source React framework developed by Vercel that enables server-side rendering, static site generation, and full-stack web application development.
A low-severity Cache Poisoning vulnerability (CVE-2026-44572) has been identified in Next.js. The edge-middleware adapter derives its "this is a client-side data fetch" signal from the inbound x-nextjs-data request header without first stripping externally-supplied copies. An attacker can send x-nextjs-data: 1 on a normal page request and, if middleware returns a redirect, the adapter swaps the Location header for the internal x-nextjs-redirect header. Browsers cannot follow x-nextjs-redirect, so the response is a broken redirect, and behind a CDN that does not vary on x-nextjs-data the broken response can be served to subsequent legitimate visitors.
Per OWASP: The impact of a maliciously constructed response can be magnified if it is cached either by a web cache used by multiple users or even the browser cache of a single user. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue to receive the malicious content until the cache entry is purged.
Details
Module Info
- Product: Next.js
- Affected packages: next
- Affected versions: >=12.2.0 <15.5.16, >=16.0.0 <16.2.5
- GitHub repository: https://github.com/vercel/next.js
- Published packages: https://www.npmjs.com/package/next
- Package manager: npm
- Fixed in:
- OSS v15.5.16, v16.2.5
- NES for Next.js v12.3.14
Vulnerability Info
This low-severity vulnerability is found in Next.js versions >=12.2.0 and <15.5.16, as well as versions >=16.0.0 and <16.2.5.
The edge-middleware adapter at packages/next/server/web/adapter.ts reads request.headers['x-nextjs-data'] to decide whether to convert a middleware-issued redirect into the internal x-nextjs-redirect form. Because the inbound header is trusted verbatim, any client can supply it on a non-data URL and observe the redirect-conversion behavior on responses that should have included a normal Location header.
This vulnerability could be exploited by:
- sending a request with x-nextjs-data: 1 to a page URL that middleware redirects (for example a route gated by an authentication or A/B-test redirect)
- relying on a shared cache (CDN, reverse proxy) that does not include x-nextjs-data in its cache key, so the broken-redirect response is served back to subsequent legitimate visitors
This does not impact applications hosted on providers that handle middleware at the platform level, such as Vercel.
Mitigation
Next.js versions prior to 15.5.x are End-of-Life and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to a fixed version of Next.js.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
