CVE-2025-32421: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in vercel next.js
Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.
AI Analysis
Technical Summary
CVE-2025-32421 is a race condition vulnerability (CWE-362) affecting the Next.js framework, specifically versions prior to 14.2.24 and between 15.0.0 and 15.1.6. Next.js is a popular React-based framework used for building full-stack web applications. The vulnerability arises in the Pages Router component under certain misconfigurations, where concurrent execution using shared resources is improperly synchronized. This flaw can cause normal HTTP endpoints to serve `pageProps` data—typically intended for internal use in rendering React components—instead of the expected standard HTML content. This behavior can lead to unintended data exposure or application logic errors. The root cause involves the handling of the `x-now-route-matches` HTTP header, which, if not properly stripped from incoming requests, can trigger the race condition. The issue was addressed in versions 14.2.24 and 15.1.6 by removing this header from requests. Notably, applications hosted on Vercel's platform are not vulnerable because their caching mechanism does not rely solely on 200 OK responses without explicit cache-control headers, thereby mitigating the risk. For self-hosted Next.js deployments unable to upgrade immediately, mitigation involves stripping the `x-now-route-matches` header at the content delivery network (CDN) level and enforcing `cache-control: no-store` headers on all at-risk responses to prevent caching of sensitive data. The Next.js maintainers emphasize the importance of caching only responses with explicit cache-control headers to avoid similar issues. The CVSS v3.1 base score is 3.7, indicating a low severity, with the vector showing network attack vector, high attack complexity, no privileges required, no user interaction, and limited confidentiality impact without integrity or availability effects. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using vulnerable versions of Next.js in self-hosted environments, this vulnerability could lead to inadvertent exposure of internal application data (`pageProps`) through normal endpoints. While the confidentiality impact is limited, such data leakage could reveal sensitive application state or user-related information, potentially aiding attackers in further reconnaissance or targeted attacks. The integrity and availability of applications are not directly affected. Organizations relying on Next.js for customer-facing web applications or internal portals may face reputational risks if sensitive data is exposed. Since Vercel-hosted deployments are not affected, the impact is primarily on enterprises managing their own Next.js infrastructure. Given the low CVSS score and absence of known exploits, the immediate risk is moderate; however, the potential for misconfiguration or caching errors in complex deployment scenarios could elevate exposure. European organizations with strict data protection regulations (e.g., GDPR) must consider the implications of any unintended data disclosure, even if limited, and ensure compliance through prompt patching or mitigation.
Mitigation Recommendations
1. Upgrade Next.js to versions 14.2.24 or later, or 15.1.6 or later, as these versions contain the official patch removing the vulnerable header handling. 2. For organizations unable to upgrade immediately, implement a CDN or reverse proxy rule to strip the `x-now-route-matches` header from all incoming requests to the Next.js application. 3. Configure HTTP response headers to include `cache-control: no-store` for all endpoints that could be affected, preventing caching of sensitive data by browsers or intermediary caches. 4. Audit existing caching policies and ensure that only responses with explicit cache-control headers are cached, following Next.js maintainers' recommendations. 5. Conduct thorough testing of the Pages Router configuration to verify that no unintended data leakage occurs under concurrent request scenarios. 6. Monitor application logs and traffic for anomalous requests that include the `x-now-route-matches` header or unexpected response payloads. 7. Educate development and operations teams about the risks of improper synchronization and caching in Next.js applications to prevent similar issues in future deployments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2025-32421: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in vercel next.js
Description
Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.
AI-Powered Analysis
Technical Analysis
CVE-2025-32421 is a race condition vulnerability (CWE-362) affecting the Next.js framework, specifically versions prior to 14.2.24 and between 15.0.0 and 15.1.6. Next.js is a popular React-based framework used for building full-stack web applications. The vulnerability arises in the Pages Router component under certain misconfigurations, where concurrent execution using shared resources is improperly synchronized. This flaw can cause normal HTTP endpoints to serve `pageProps` data—typically intended for internal use in rendering React components—instead of the expected standard HTML content. This behavior can lead to unintended data exposure or application logic errors. The root cause involves the handling of the `x-now-route-matches` HTTP header, which, if not properly stripped from incoming requests, can trigger the race condition. The issue was addressed in versions 14.2.24 and 15.1.6 by removing this header from requests. Notably, applications hosted on Vercel's platform are not vulnerable because their caching mechanism does not rely solely on 200 OK responses without explicit cache-control headers, thereby mitigating the risk. For self-hosted Next.js deployments unable to upgrade immediately, mitigation involves stripping the `x-now-route-matches` header at the content delivery network (CDN) level and enforcing `cache-control: no-store` headers on all at-risk responses to prevent caching of sensitive data. The Next.js maintainers emphasize the importance of caching only responses with explicit cache-control headers to avoid similar issues. The CVSS v3.1 base score is 3.7, indicating a low severity, with the vector showing network attack vector, high attack complexity, no privileges required, no user interaction, and limited confidentiality impact without integrity or availability effects. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using vulnerable versions of Next.js in self-hosted environments, this vulnerability could lead to inadvertent exposure of internal application data (`pageProps`) through normal endpoints. While the confidentiality impact is limited, such data leakage could reveal sensitive application state or user-related information, potentially aiding attackers in further reconnaissance or targeted attacks. The integrity and availability of applications are not directly affected. Organizations relying on Next.js for customer-facing web applications or internal portals may face reputational risks if sensitive data is exposed. Since Vercel-hosted deployments are not affected, the impact is primarily on enterprises managing their own Next.js infrastructure. Given the low CVSS score and absence of known exploits, the immediate risk is moderate; however, the potential for misconfiguration or caching errors in complex deployment scenarios could elevate exposure. European organizations with strict data protection regulations (e.g., GDPR) must consider the implications of any unintended data disclosure, even if limited, and ensure compliance through prompt patching or mitigation.
Mitigation Recommendations
1. Upgrade Next.js to versions 14.2.24 or later, or 15.1.6 or later, as these versions contain the official patch removing the vulnerable header handling. 2. For organizations unable to upgrade immediately, implement a CDN or reverse proxy rule to strip the `x-now-route-matches` header from all incoming requests to the Next.js application. 3. Configure HTTP response headers to include `cache-control: no-store` for all endpoints that could be affected, preventing caching of sensitive data by browsers or intermediary caches. 4. Audit existing caching policies and ensure that only responses with explicit cache-control headers are cached, following Next.js maintainers' recommendations. 5. Conduct thorough testing of the Pages Router configuration to verify that no unintended data leakage occurs under concurrent request scenarios. 6. Monitor application logs and traffic for anomalous requests that include the `x-now-route-matches` header or unexpected response payloads. 7. Educate development and operations teams about the risks of improper synchronization and caching in Next.js applications to prevent similar issues in future deployments.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-04-08T10:54:58.366Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aec51e
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/6/2025, 9:13:03 AM
Last updated: 8/11/2025, 7:44:06 AM
Views: 19
Related Threats
CVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumCVE-2025-8482: CWE-862 Missing Authorization in 10up Simple Local Avatars
MediumCVE-2025-8418: CWE-862 Missing Authorization in bplugins B Slider- Gutenberg Slider Block for WP
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.