Cache Poisoning Vulnerability in Next.js App Router and Vercel CLI
CVE-2025-49005

3.7LOW

Key Information:

Vendor

Vercel
Status
Next.js
Vendor
CVE Published:
3 July 2025

What is CVE-2025-49005?

A cache poisoning vulnerability was identified in Next.js App Router and Vercel CLI, allowing improper responses to certain page requests under specific conditions. When deployed with Vercel, the concern primarily affected the browser cache. However, self-hosted deployments could encounter severe issues if the CDN fails to differentiate between React Server Component (RSC) payloads and HTML content in cache management. This problem has been addressed in the release of Next.js version 15.3.3.

Affected Version(s)

next.js >= 15.3.0, < 15.3.3

References

https://github.com/vercel/next.js/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/vercel/next.js/issues/79346
x_refsource_MISC
https://github.com/vercel/next.js/commit/ec202eccf05820b6...
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-49005 : Cache Poisoning Vulnerability in Next.js App Router and Vercel CLI