CVE-2025-49005 is a vulnerability identified in the Next.js framework, specifically affecting versions from 15.3.0 up to but not including 15.3.3, as well as Vercel CLI versions 41.4.1 to 42.2.0. Next.js is a widely used React framework for building full-stack web applications. The vulnerability is categorized under CWE-444, which relates to inconsistent interpretation of HTTP requests, commonly known as HTTP Request/Response Smuggling. The core issue involves a cache poisoning vulnerability where page requests intended to return HTML content could instead return a React Server Component (RSC) payload under certain conditions. This inconsistency arises from how the framework and potentially the CDN handle cache keys, failing to properly distinguish between RSC and HTML content types. When deployed on Vercel's platform, the impact is limited to the browser cache, preventing CDN-level cache poisoning. However, in self-hosted or externally deployed environments where the CDN does not differentiate cache keys correctly, this vulnerability could lead to cache poisoning at the CDN level. Cache poisoning can cause users to receive malicious or unintended content, potentially leading to further exploitation such as cross-site scripting or information disclosure. The vulnerability does not require authentication or user interaction but has a relatively low CVSS score of 3.7 due to the complexity of exploitation and limited impact on confidentiality and availability. The issue was addressed and resolved in Next.js version 15.3.3.

For European organizations using Next.js versions between 15.3.0 and 15.3.3 or affected Vercel CLI versions, the vulnerability poses a risk primarily in self-hosted or externally deployed environments where CDNs do not properly segregate cache keys for RSC and HTML content. The impact includes potential cache poisoning, which can lead to users receiving incorrect or malicious content. This can undermine user trust, degrade service integrity, and potentially facilitate further attacks such as client-side code injection or session hijacking. While the vulnerability does not directly compromise server confidentiality or availability, the integrity of delivered content is at risk. Organizations relying on Vercel's managed platform are less affected since the issue is confined to browser cache poisoning, which is less severe. European organizations with stringent data protection regulations and high standards for web application security may face reputational damage and compliance challenges if exploited. The risk is heightened for sectors with high web traffic and sensitive user interactions, such as finance, e-commerce, and government services.

European organizations should promptly upgrade Next.js to version 15.3.3 or later and update Vercel CLI beyond version 42.2.0 to remediate the vulnerability. For self-hosted deployments, ensure that the CDN or caching layer correctly distinguishes between React Server Component payloads and standard HTML content in cache keys to prevent poisoning. This may involve configuring cache key policies or using cache-busting techniques specific to content type. Implement rigorous testing of cache behavior in staging environments to detect any inconsistencies. Additionally, organizations should monitor web traffic for anomalies indicative of cache poisoning, such as unexpected content served to users. Employing Content Security Policy (CSP) headers can mitigate the impact of malicious content injection resulting from cache poisoning. Finally, maintain an inventory of affected software versions and integrate vulnerability scanning into the CI/CD pipeline to prevent deployment of vulnerable versions.