Race Condition Vulnerability in Next.js Framework Affecting Vercel Deployments
CVE-2025-32421

3.7LOW

Key Information:

Vendor

Vercel
Status
Next.js
Vendor
CVE Published:
14 May 2025

Badges

๐Ÿ“ˆ Trended๐Ÿ“ˆ Score: 3,720๐Ÿ‘พ Exploit Exists๐Ÿ“ฐ News Worthy

What is CVE-2025-32421?

CVE-2025-32421 is a race condition vulnerability identified in the Next.js framework, which is widely used for building full-stack web applications. Specifically, this vulnerability impacts versions prior to 14.2.24 and 15.1.6 of Next.js. It manifests under certain misconfigurations in the Pages Router, allowing normal endpoints to unintentionally expose pageProps data instead of returning standard HTML responses. When improperly configured, this can lead to sensitive data exposure, affecting end-user privacy and security. The vulnerability's negative impact on organizations could include unauthorized access to application-specific data, loss of integrity in web application responses, and potential compliance violations regarding data protection regulations. The problem was addressed in subsequent versions by removing the x-now-route-matches header from incoming requests.

Potential impact of CVE-2025-32421

  1. Data Exposure: Due to the unintended serving of pageProps data, sensitive information could be revealed to unauthorized users, leading to privacy breaches and potential misuse of data.

  2. Application Integrity Compromise: The vulnerability could cause end users to receive incorrect or manipulated application responses, undermining trust in the application.

  3. Regulatory Non-compliance: Organizations may face legal repercussions if sensitive data is exposed due to this vulnerability, potentially violating data protection laws and resulting in financial penalties.

Affected Version(s)

next.js < 14.2.24 < 14.2.24

next.js >= 15.0.0, < 15.1.6 < 15.0.0, 15.1.6

News Articles

favicon imagewiz.io

CVE-2025-32421 Impact, Exploitability, and Mitigation Steps | Wiz

Understand the critical aspects of CVE-2025-32421 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.

favicon imageNetlify

Security Update: Next.js sites on Netlify not vulnerable to CVE-2025-32421 | Netlify Changelog

Get the latest updates on Netlify products and features to meet your developer needs.

favicon imageVercel

CVE-2025-32421 - Vercel

A low severity cache poisoning vulnerability was discovered in Next.js. This affects versions 14.2.9 through <15.1.6 as a bypass of the previous CVE-2024-46982.

References

https://github.com/vercel/next.js/security/advisories/GHS...
x_refsource_CONFIRM
https://vercel.com/changelog/cve-2025-32421
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by Vulert

  • ๐Ÿ“ˆ

    Vulnerability started trending

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-32421 : Race Condition Vulnerability in Next.js Framework Affecting Vercel Deployments