CVE-2025-49826: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in vercel next.js
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.
AI Analysis
Technical Summary
CVE-2025-49826 is a high-severity vulnerability affecting the Next.js framework, specifically versions from 15.0.4-canary.51 up to but not including 15.1.8. Next.js is a widely used React framework for building full-stack web applications. The vulnerability is classified under CWE-444, which pertains to inconsistent interpretation of HTTP requests, commonly known as HTTP Request/Response Smuggling. This flaw manifests as a cache poisoning issue that can lead to a Denial of Service (DoS) condition. Under certain conditions, a HTTP 204 (No Content) response can be cached erroneously for static pages. As a result, subsequent users attempting to access the affected pages receive the cached 204 response, effectively rendering the page content unavailable. This disrupts the availability of web content served by Next.js applications. Importantly, this vulnerability does not affect customers hosted on Vercel's platform, indicating the issue is specific to self-hosted or other deployment environments using the vulnerable Next.js versions. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting its high severity due to network exploitability without authentication or user interaction and its impact on availability. The issue was publicly disclosed on July 3, 2025, and addressed in Next.js version 15.1.8. No known exploits are currently reported in the wild. The root cause is the inconsistent handling of HTTP responses leading to improper caching behavior, which can be exploited by attackers to poison caches and cause denial of service by serving empty content to users.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the availability of web applications built with affected versions of Next.js. Organizations relying on self-hosted Next.js deployments for customer-facing websites or internal portals may experience service disruptions if attackers exploit this cache poisoning flaw. The denial of service condition could lead to loss of user trust, reduced operational efficiency, and potential financial losses, especially for e-commerce, media, and critical service providers. Since the vulnerability does not impact Vercel-hosted customers, organizations using Vercel's managed platform are not at risk. However, many European companies deploy Next.js independently, increasing their exposure. The disruption of static page content availability could also affect regulatory compliance related to service uptime and accessibility under EU digital service standards. Additionally, the inability to serve correct page content might indirectly impact confidentiality and integrity if users resort to unsafe workarounds or if attackers combine this issue with other vulnerabilities.
Mitigation Recommendations
European organizations should promptly upgrade all Next.js instances to version 15.1.8 or later, where the vulnerability is fixed. For environments where immediate upgrading is not feasible, organizations should implement strict cache-control headers to prevent caching of HTTP 204 responses, especially for static content. Web application firewalls (WAFs) can be configured to detect and block suspicious HTTP request patterns that may trigger request smuggling attempts. Additionally, thorough testing of caching layers and reverse proxies (e.g., CDNs, Nginx, Varnish) should be conducted to ensure they do not cache 204 responses improperly. Monitoring logs for unusual HTTP response codes and cache hits can help detect exploitation attempts early. Organizations should also review deployment configurations to avoid mixing vulnerable Next.js versions with caching mechanisms that could exacerbate the issue. Finally, educating development and operations teams about HTTP request smuggling risks and secure caching practices will reduce future exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2025-49826: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in vercel next.js
Description
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.
AI-Powered Analysis
Technical Analysis
CVE-2025-49826 is a high-severity vulnerability affecting the Next.js framework, specifically versions from 15.0.4-canary.51 up to but not including 15.1.8. Next.js is a widely used React framework for building full-stack web applications. The vulnerability is classified under CWE-444, which pertains to inconsistent interpretation of HTTP requests, commonly known as HTTP Request/Response Smuggling. This flaw manifests as a cache poisoning issue that can lead to a Denial of Service (DoS) condition. Under certain conditions, a HTTP 204 (No Content) response can be cached erroneously for static pages. As a result, subsequent users attempting to access the affected pages receive the cached 204 response, effectively rendering the page content unavailable. This disrupts the availability of web content served by Next.js applications. Importantly, this vulnerability does not affect customers hosted on Vercel's platform, indicating the issue is specific to self-hosted or other deployment environments using the vulnerable Next.js versions. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting its high severity due to network exploitability without authentication or user interaction and its impact on availability. The issue was publicly disclosed on July 3, 2025, and addressed in Next.js version 15.1.8. No known exploits are currently reported in the wild. The root cause is the inconsistent handling of HTTP responses leading to improper caching behavior, which can be exploited by attackers to poison caches and cause denial of service by serving empty content to users.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the availability of web applications built with affected versions of Next.js. Organizations relying on self-hosted Next.js deployments for customer-facing websites or internal portals may experience service disruptions if attackers exploit this cache poisoning flaw. The denial of service condition could lead to loss of user trust, reduced operational efficiency, and potential financial losses, especially for e-commerce, media, and critical service providers. Since the vulnerability does not impact Vercel-hosted customers, organizations using Vercel's managed platform are not at risk. However, many European companies deploy Next.js independently, increasing their exposure. The disruption of static page content availability could also affect regulatory compliance related to service uptime and accessibility under EU digital service standards. Additionally, the inability to serve correct page content might indirectly impact confidentiality and integrity if users resort to unsafe workarounds or if attackers combine this issue with other vulnerabilities.
Mitigation Recommendations
European organizations should promptly upgrade all Next.js instances to version 15.1.8 or later, where the vulnerability is fixed. For environments where immediate upgrading is not feasible, organizations should implement strict cache-control headers to prevent caching of HTTP 204 responses, especially for static content. Web application firewalls (WAFs) can be configured to detect and block suspicious HTTP request patterns that may trigger request smuggling attempts. Additionally, thorough testing of caching layers and reverse proxies (e.g., CDNs, Nginx, Varnish) should be conducted to ensure they do not cache 204 responses improperly. Monitoring logs for unusual HTTP response codes and cache hits can help detect exploitation attempts early. Organizations should also review deployment configurations to avoid mixing vulnerable Next.js versions with caching mechanisms that could exacerbate the issue. Finally, educating development and operations teams about HTTP request smuggling risks and secure caching practices will reduce future exposure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-06-11T14:33:57.799Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6866f50d6f40f0eb729c68b4
Added to database: 7/3/2025, 9:24:29 PM
Last enriched: 7/3/2025, 9:40:00 PM
Last updated: 7/4/2025, 4:00:26 AM
Views: 4
Related Threats
CVE-2025-6944: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in undsgn Uncode Core
MediumCVE-2025-7053: Cross Site Scripting in Cockpit
MediumCVE-2025-7046: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dotrex Portfolio for Elementor & Image Gallery | PowerFolio
MediumCVE-2025-6814: CWE-862 Missing Authorization in dunskii Booking X – Appointment and Reservation Availability Calendar
HighCVE-2025-6787: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ibachal Smart Docs
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.