Denial of Service Vulnerability in Next.js by Vercel
CVE-2025-49826

7.5HIGH

Key Information:

Vendor: Vercel
Status: Next.js
Vendor: CVE Published:; 3 July 2025

Badges

📈 Trended📈 Score: 3,770👾 Exploit Exists📰 News Worthy

What is CVE-2025-49826?

CVE-2025-49826 is a Denial of Service (DoS) vulnerability found in Next.js, an open-source React framework developed by Vercel, used for creating full-stack web applications. This vulnerability, which affects versions from 15.0.4-canary.51 to just prior to 15.1.8, introduces a cache poisoning flaw. When this vulnerability is exploited, it may allow an HTTP 204 response to be incorrectly cached for static pages. Consequently, this could result in users receiving the inaccurate response instead of the intended page content. While Vercel's hosting customers are not impacted by this issue, it poses a significant risk for organizations that deploy the affected versions in their environments, potentially disrupting user access and degrading the overall application performance.

Potential impact of CVE-2025-49826

Service Disruption: The primary concern of this vulnerability is the potential for widespread service interruptions. By exploiting the cache poisoning issue, attackers could serve inaccurate HTTP 204 responses to users, leading to confusion and frustration as users are denied access to valid content.
User Experience Degradation: Organizations may face an adverse impact on user experience, as visitors to the affected applications may encounter unexpected behaviors, reducing trust and satisfaction with the web service. This negative experience could result in a loss of user engagement and loyalty.
Increased Maintenance and Support Costs: The presence of this vulnerability may lead to increased operational costs as organizations deal with user complaints, conduct investigations, and implement fixes. They would need to ensure timely updates and patches are applied to mitigate the risks associated with this vulnerability, diverting resources from other critical initiatives.