Skip to main content

CVE-2025-49826: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in vercel next.js

High
VulnerabilityCVE-2025-49826cvecve-2025-49826cwe-444
Published: Thu Jul 03 2025 (07/03/2025, 21:03:24 UTC)
Source: CVE Database V5
Vendor/Project: vercel
Product: next.js

Description

Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.

AI-Powered Analysis

AILast updated: 07/03/2025, 21:40:00 UTC

Technical Analysis

CVE-2025-49826 is a high-severity vulnerability affecting the Next.js framework, specifically versions from 15.0.4-canary.51 up to but not including 15.1.8. Next.js is a widely used React framework for building full-stack web applications. The vulnerability is classified under CWE-444, which pertains to inconsistent interpretation of HTTP requests, commonly known as HTTP Request/Response Smuggling. This flaw manifests as a cache poisoning issue that can lead to a Denial of Service (DoS) condition. Under certain conditions, a HTTP 204 (No Content) response can be cached erroneously for static pages. As a result, subsequent users attempting to access the affected pages receive the cached 204 response, effectively rendering the page content unavailable. This disrupts the availability of web content served by Next.js applications. Importantly, this vulnerability does not affect customers hosted on Vercel's platform, indicating the issue is specific to self-hosted or other deployment environments using the vulnerable Next.js versions. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting its high severity due to network exploitability without authentication or user interaction and its impact on availability. The issue was publicly disclosed on July 3, 2025, and addressed in Next.js version 15.1.8. No known exploits are currently reported in the wild. The root cause is the inconsistent handling of HTTP responses leading to improper caching behavior, which can be exploited by attackers to poison caches and cause denial of service by serving empty content to users.

Potential Impact

For European organizations, this vulnerability poses a significant risk to the availability of web applications built with affected versions of Next.js. Organizations relying on self-hosted Next.js deployments for customer-facing websites or internal portals may experience service disruptions if attackers exploit this cache poisoning flaw. The denial of service condition could lead to loss of user trust, reduced operational efficiency, and potential financial losses, especially for e-commerce, media, and critical service providers. Since the vulnerability does not impact Vercel-hosted customers, organizations using Vercel's managed platform are not at risk. However, many European companies deploy Next.js independently, increasing their exposure. The disruption of static page content availability could also affect regulatory compliance related to service uptime and accessibility under EU digital service standards. Additionally, the inability to serve correct page content might indirectly impact confidentiality and integrity if users resort to unsafe workarounds or if attackers combine this issue with other vulnerabilities.

Mitigation Recommendations

European organizations should promptly upgrade all Next.js instances to version 15.1.8 or later, where the vulnerability is fixed. For environments where immediate upgrading is not feasible, organizations should implement strict cache-control headers to prevent caching of HTTP 204 responses, especially for static content. Web application firewalls (WAFs) can be configured to detect and block suspicious HTTP request patterns that may trigger request smuggling attempts. Additionally, thorough testing of caching layers and reverse proxies (e.g., CDNs, Nginx, Varnish) should be conducted to ensure they do not cache 204 responses improperly. Monitoring logs for unusual HTTP response codes and cache hits can help detect exploitation attempts early. Organizations should also review deployment configurations to avoid mixing vulnerable Next.js versions with caching mechanisms that could exacerbate the issue. Finally, educating development and operations teams about HTTP request smuggling risks and secure caching practices will reduce future exposure.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-06-11T14:33:57.799Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6866f50d6f40f0eb729c68b4

Added to database: 7/3/2025, 9:24:29 PM

Last enriched: 7/3/2025, 9:40:00 PM

Last updated: 7/4/2025, 4:00:26 AM

Views: 4

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats