CVE-2025-49826: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in vercel next.js
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.
AI Analysis
Technical Summary
CVE-2025-49826 is a high-severity vulnerability classified under CWE-444, which involves inconsistent interpretation of HTTP requests, commonly referred to as HTTP Request/Response Smuggling. This specific vulnerability affects the Next.js framework, a popular React-based full-stack web application framework maintained by Vercel. The flaw exists in Next.js versions from 15.0.4-canary.51 up to but not including 15.1.8. The vulnerability manifests as a cache poisoning issue that can lead to a Denial of Service (DoS) condition. Under certain circumstances, the framework may cache an HTTP 204 (No Content) response for static pages. Since a 204 response indicates that the server successfully processed the request but is not returning any content, caching this response causes subsequent users requesting the same static page to receive the 204 response instead of the actual page content. This results in effectively serving blank pages to all users, causing service disruption. Importantly, this issue does not affect customers hosted directly on Vercel's platform, implying the vulnerability is relevant primarily to self-hosted or custom deployments of Next.js. The vulnerability does not impact confidentiality or integrity but severely affects availability, as legitimate users are denied access to content. The CVSS v3.1 base score is 7.5, reflecting a high severity level due to network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability was publicly disclosed on July 3, 2025, and has been addressed in Next.js version 15.1.8. No known exploits are currently reported in the wild. This vulnerability highlights the risks of improper HTTP response caching and the challenges of handling HTTP semantics consistently in modern web frameworks, especially when caching intermediaries are involved.
Potential Impact
For European organizations using self-hosted Next.js versions between 15.0.4-canary.51 and 15.1.8, this vulnerability poses a significant risk of service disruption. Websites or web applications relying on static page caching may inadvertently serve empty pages (HTTP 204) to end users, resulting in denial of service. This can degrade user experience, damage brand reputation, and potentially lead to financial losses, especially for e-commerce, media, and public service websites. Since the vulnerability does not affect confidentiality or integrity, data breaches or unauthorized data modification are not immediate concerns. However, the availability impact can be critical for organizations with high web traffic or those providing critical online services. The fact that Vercel-hosted customers are not affected reduces the scope somewhat, but many European enterprises self-host Next.js applications for compliance, customization, or cost reasons. Additionally, the ease of exploitation (no authentication or user interaction required) means attackers can trigger the cache poisoning remotely over the network, increasing the threat level. The absence of known exploits in the wild suggests the vulnerability is newly disclosed, but proactive patching is essential to prevent potential attacks.
Mitigation Recommendations
European organizations should immediately assess their Next.js deployments to identify if they are running affected versions (>=15.0.4-canary.51 and <15.1.8). The primary mitigation is to upgrade to Next.js version 15.1.8 or later, where the vulnerability has been fixed. For environments where immediate upgrade is not feasible, organizations should consider disabling or carefully configuring caching mechanisms for static pages to prevent caching of HTTP 204 responses. Implementing strict cache-control headers that prevent caching of empty or no-content responses can reduce risk. Additionally, deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious HTTP request patterns that could trigger the vulnerability may provide temporary protection. Monitoring web server and application logs for unusual 204 response caching or spikes in 204 responses served can help detect exploitation attempts. Organizations should also review their HTTP proxy and CDN configurations to ensure they handle HTTP response codes correctly and do not inadvertently cache 204 responses. Finally, educating development and operations teams about the risks of HTTP response smuggling and proper cache management in Next.js applications will help prevent similar issues in the future.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2025-49826: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in vercel next.js
Description
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.
AI-Powered Analysis
Technical Analysis
CVE-2025-49826 is a high-severity vulnerability classified under CWE-444, which involves inconsistent interpretation of HTTP requests, commonly referred to as HTTP Request/Response Smuggling. This specific vulnerability affects the Next.js framework, a popular React-based full-stack web application framework maintained by Vercel. The flaw exists in Next.js versions from 15.0.4-canary.51 up to but not including 15.1.8. The vulnerability manifests as a cache poisoning issue that can lead to a Denial of Service (DoS) condition. Under certain circumstances, the framework may cache an HTTP 204 (No Content) response for static pages. Since a 204 response indicates that the server successfully processed the request but is not returning any content, caching this response causes subsequent users requesting the same static page to receive the 204 response instead of the actual page content. This results in effectively serving blank pages to all users, causing service disruption. Importantly, this issue does not affect customers hosted directly on Vercel's platform, implying the vulnerability is relevant primarily to self-hosted or custom deployments of Next.js. The vulnerability does not impact confidentiality or integrity but severely affects availability, as legitimate users are denied access to content. The CVSS v3.1 base score is 7.5, reflecting a high severity level due to network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability was publicly disclosed on July 3, 2025, and has been addressed in Next.js version 15.1.8. No known exploits are currently reported in the wild. This vulnerability highlights the risks of improper HTTP response caching and the challenges of handling HTTP semantics consistently in modern web frameworks, especially when caching intermediaries are involved.
Potential Impact
For European organizations using self-hosted Next.js versions between 15.0.4-canary.51 and 15.1.8, this vulnerability poses a significant risk of service disruption. Websites or web applications relying on static page caching may inadvertently serve empty pages (HTTP 204) to end users, resulting in denial of service. This can degrade user experience, damage brand reputation, and potentially lead to financial losses, especially for e-commerce, media, and public service websites. Since the vulnerability does not affect confidentiality or integrity, data breaches or unauthorized data modification are not immediate concerns. However, the availability impact can be critical for organizations with high web traffic or those providing critical online services. The fact that Vercel-hosted customers are not affected reduces the scope somewhat, but many European enterprises self-host Next.js applications for compliance, customization, or cost reasons. Additionally, the ease of exploitation (no authentication or user interaction required) means attackers can trigger the cache poisoning remotely over the network, increasing the threat level. The absence of known exploits in the wild suggests the vulnerability is newly disclosed, but proactive patching is essential to prevent potential attacks.
Mitigation Recommendations
European organizations should immediately assess their Next.js deployments to identify if they are running affected versions (>=15.0.4-canary.51 and <15.1.8). The primary mitigation is to upgrade to Next.js version 15.1.8 or later, where the vulnerability has been fixed. For environments where immediate upgrade is not feasible, organizations should consider disabling or carefully configuring caching mechanisms for static pages to prevent caching of HTTP 204 responses. Implementing strict cache-control headers that prevent caching of empty or no-content responses can reduce risk. Additionally, deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious HTTP request patterns that could trigger the vulnerability may provide temporary protection. Monitoring web server and application logs for unusual 204 response caching or spikes in 204 responses served can help detect exploitation attempts. Organizations should also review their HTTP proxy and CDN configurations to ensure they handle HTTP response codes correctly and do not inadvertently cache 204 responses. Finally, educating development and operations teams about the risks of HTTP response smuggling and proper cache management in Next.js applications will help prevent similar issues in the future.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-06-11T14:33:57.799Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6866f50d6f40f0eb729c68b4
Added to database: 7/3/2025, 9:24:29 PM
Last enriched: 7/14/2025, 9:24:32 PM
Last updated: 7/17/2025, 6:18:20 PM
Views: 25
Related Threats
CVE-2025-7765: SQL Injection in code-projects Online Appointment Booking System
MediumCVE-2025-7764: SQL Injection in code-projects Online Appointment Booking System
MediumCVE-2025-7763: Open Redirect in thinkgem JeeSite
MediumCVE-2025-7762: Stack-based Buffer Overflow in D-Link DI-8100
HighCVE-2025-6391: CWE-532: Insertion of Sensitive Information into Log File in Broadcom Brocade ASCG
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.