CVE-2025-49005: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in vercel next.js
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. This issue has been resolved in Next.js 15.3.3.
AI Analysis
Technical Summary
CVE-2025-49005 is a vulnerability identified in the Next.js framework, specifically affecting versions from 15.3.0 up to but not including 15.3.3, as well as Vercel CLI versions 41.4.1 to 42.2.0. Next.js is a widely used React framework for building full-stack web applications. The vulnerability is categorized under CWE-444, which relates to inconsistent interpretation of HTTP requests, commonly known as HTTP Request/Response Smuggling. The core issue involves a cache poisoning vulnerability where page requests intended to return HTML content could instead return a React Server Component (RSC) payload under certain conditions. This inconsistency arises from how the framework and potentially the CDN handle cache keys, failing to properly distinguish between RSC and HTML content types. When deployed on Vercel's platform, the impact is limited to the browser cache, preventing CDN-level cache poisoning. However, in self-hosted or externally deployed environments where the CDN does not differentiate cache keys correctly, this vulnerability could lead to cache poisoning at the CDN level. Cache poisoning can cause users to receive malicious or unintended content, potentially leading to further exploitation such as cross-site scripting or information disclosure. The vulnerability does not require authentication or user interaction but has a relatively low CVSS score of 3.7 due to the complexity of exploitation and limited impact on confidentiality and availability. The issue was addressed and resolved in Next.js version 15.3.3.
Potential Impact
For European organizations using Next.js versions between 15.3.0 and 15.3.3 or affected Vercel CLI versions, the vulnerability poses a risk primarily in self-hosted or externally deployed environments where CDNs do not properly segregate cache keys for RSC and HTML content. The impact includes potential cache poisoning, which can lead to users receiving incorrect or malicious content. This can undermine user trust, degrade service integrity, and potentially facilitate further attacks such as client-side code injection or session hijacking. While the vulnerability does not directly compromise server confidentiality or availability, the integrity of delivered content is at risk. Organizations relying on Vercel's managed platform are less affected since the issue is confined to browser cache poisoning, which is less severe. European organizations with stringent data protection regulations and high standards for web application security may face reputational damage and compliance challenges if exploited. The risk is heightened for sectors with high web traffic and sensitive user interactions, such as finance, e-commerce, and government services.
Mitigation Recommendations
European organizations should promptly upgrade Next.js to version 15.3.3 or later and update Vercel CLI beyond version 42.2.0 to remediate the vulnerability. For self-hosted deployments, ensure that the CDN or caching layer correctly distinguishes between React Server Component payloads and standard HTML content in cache keys to prevent poisoning. This may involve configuring cache key policies or using cache-busting techniques specific to content type. Implement rigorous testing of cache behavior in staging environments to detect any inconsistencies. Additionally, organizations should monitor web traffic for anomalies indicative of cache poisoning, such as unexpected content served to users. Employing Content Security Policy (CSP) headers can mitigate the impact of malicious content injection resulting from cache poisoning. Finally, maintain an inventory of affected software versions and integrate vulnerability scanning into the CI/CD pipeline to prevent deployment of vulnerable versions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2025-49005: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in vercel next.js
Description
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. This issue has been resolved in Next.js 15.3.3.
AI-Powered Analysis
Technical Analysis
CVE-2025-49005 is a vulnerability identified in the Next.js framework, specifically affecting versions from 15.3.0 up to but not including 15.3.3, as well as Vercel CLI versions 41.4.1 to 42.2.0. Next.js is a widely used React framework for building full-stack web applications. The vulnerability is categorized under CWE-444, which relates to inconsistent interpretation of HTTP requests, commonly known as HTTP Request/Response Smuggling. The core issue involves a cache poisoning vulnerability where page requests intended to return HTML content could instead return a React Server Component (RSC) payload under certain conditions. This inconsistency arises from how the framework and potentially the CDN handle cache keys, failing to properly distinguish between RSC and HTML content types. When deployed on Vercel's platform, the impact is limited to the browser cache, preventing CDN-level cache poisoning. However, in self-hosted or externally deployed environments where the CDN does not differentiate cache keys correctly, this vulnerability could lead to cache poisoning at the CDN level. Cache poisoning can cause users to receive malicious or unintended content, potentially leading to further exploitation such as cross-site scripting or information disclosure. The vulnerability does not require authentication or user interaction but has a relatively low CVSS score of 3.7 due to the complexity of exploitation and limited impact on confidentiality and availability. The issue was addressed and resolved in Next.js version 15.3.3.
Potential Impact
For European organizations using Next.js versions between 15.3.0 and 15.3.3 or affected Vercel CLI versions, the vulnerability poses a risk primarily in self-hosted or externally deployed environments where CDNs do not properly segregate cache keys for RSC and HTML content. The impact includes potential cache poisoning, which can lead to users receiving incorrect or malicious content. This can undermine user trust, degrade service integrity, and potentially facilitate further attacks such as client-side code injection or session hijacking. While the vulnerability does not directly compromise server confidentiality or availability, the integrity of delivered content is at risk. Organizations relying on Vercel's managed platform are less affected since the issue is confined to browser cache poisoning, which is less severe. European organizations with stringent data protection regulations and high standards for web application security may face reputational damage and compliance challenges if exploited. The risk is heightened for sectors with high web traffic and sensitive user interactions, such as finance, e-commerce, and government services.
Mitigation Recommendations
European organizations should promptly upgrade Next.js to version 15.3.3 or later and update Vercel CLI beyond version 42.2.0 to remediate the vulnerability. For self-hosted deployments, ensure that the CDN or caching layer correctly distinguishes between React Server Component payloads and standard HTML content in cache keys to prevent poisoning. This may involve configuring cache key policies or using cache-busting techniques specific to content type. Implement rigorous testing of cache behavior in staging environments to detect any inconsistencies. Additionally, organizations should monitor web traffic for anomalies indicative of cache poisoning, such as unexpected content served to users. Employing Content Security Policy (CSP) headers can mitigate the impact of malicious content injection resulting from cache poisoning. Finally, maintain an inventory of affected software versions and integrate vulnerability scanning into the CI/CD pipeline to prevent deployment of vulnerable versions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-05-29T16:34:07.175Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6866f1946f40f0eb729c3cd7
Added to database: 7/3/2025, 9:09:40 PM
Last enriched: 7/14/2025, 9:23:47 PM
Last updated: 8/14/2025, 7:51:06 AM
Views: 42
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.