CVE-2026-44572: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data in vercel next.js
Next. js versions from 12. 2. 0 up to but not including 15. 5. 16, and from 16. 0. 0 up to but not including 16. 2. 5, contain a vulnerability where an attacker can send a crafted x-nextjs-data header to a middleware-handled redirect path.
AI Analysis
Technical Summary
CVE-2026-44572 describes a vulnerability in Next.js where middleware handling redirects can be manipulated by an attacker sending a x-nextjs-data header. This causes the middleware or proxy to substitute the standard Location redirect header with an internal x-nextjs-redirect header, which browsers ignore. When deployed behind caching CDNs or proxies that cache 3xx responses without varying on this header, this can lead to cache poisoning of redirect responses. As a result, legitimate users receive unusable redirect responses lacking the Location header, effectively causing a denial of service on the affected redirect paths. The vulnerability affects Next.js versions >= 12.2.0 and < 15.5.16, and >= 16.0.0 and < 16.2.5. It is resolved in versions 15.5.16 and 16.2.5.
Potential Impact
The vulnerability can cause denial of service on redirect paths by poisoning cached redirect responses in CDNs or reverse proxies that do not vary cache entries based on the x-nextjs-data header. There is no confidentiality or integrity impact reported. The CVSS score is 3.7 (low severity), reflecting the limited impact and the requirement for specific caching configurations to be vulnerable.
Mitigation Recommendations
This vulnerability is fixed in Next.js versions 15.5.16 and 16.2.5. Users should upgrade to these or later versions to remediate the issue. If upgrading immediately is not possible, ensure that caching CDNs or reverse proxies vary cache keys on the x-nextjs-data header or do not cache 3xx redirect responses for affected paths. Patch status is not explicitly stated in the vendor advisory, but the fixed versions indicate an official fix is available.
CVE-2026-44572: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data in vercel next.js
Description
Next. js versions from 12. 2. 0 up to but not including 15. 5. 16, and from 16. 0. 0 up to but not including 16. 2. 5, contain a vulnerability where an attacker can send a crafted x-nextjs-data header to a middleware-handled redirect path.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-44572 describes a vulnerability in Next.js where middleware handling redirects can be manipulated by an attacker sending a x-nextjs-data header. This causes the middleware or proxy to substitute the standard Location redirect header with an internal x-nextjs-redirect header, which browsers ignore. When deployed behind caching CDNs or proxies that cache 3xx responses without varying on this header, this can lead to cache poisoning of redirect responses. As a result, legitimate users receive unusable redirect responses lacking the Location header, effectively causing a denial of service on the affected redirect paths. The vulnerability affects Next.js versions >= 12.2.0 and < 15.5.16, and >= 16.0.0 and < 16.2.5. It is resolved in versions 15.5.16 and 16.2.5.
Potential Impact
The vulnerability can cause denial of service on redirect paths by poisoning cached redirect responses in CDNs or reverse proxies that do not vary cache entries based on the x-nextjs-data header. There is no confidentiality or integrity impact reported. The CVSS score is 3.7 (low severity), reflecting the limited impact and the requirement for specific caching configurations to be vulnerable.
Mitigation Recommendations
This vulnerability is fixed in Next.js versions 15.5.16 and 16.2.5. Users should upgrade to these or later versions to remediate the issue. If upgrading immediately is not possible, ensure that caching CDNs or reverse proxies vary cache keys on the x-nextjs-data header or do not cache 3xx redirect responses for affected paths. Patch status is not explicitly stated in the vendor advisory, but the fixed versions indicate an official fix is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-06T21:49:12.424Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04a508cbff5d8610e80456
Added to database: 5/13/2026, 4:21:28 PM
Last enriched: 5/13/2026, 4:36:54 PM
Last updated: 5/13/2026, 5:27:15 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.