Denial of Service Vulnerability in Next.js by Vercel
CVE-2025-49826

7.5HIGH

Key Information:

Vendor

Vercel

Status
Vendor
CVE Published:
3 July 2025

Badges

📈 Trended📈 Score: 3,770👾 Exploit Exists📰 News Worthy

What is CVE-2025-49826?

CVE-2025-49826 is a Denial of Service (DoS) vulnerability found in Next.js, an open-source React framework developed by Vercel, used for creating full-stack web applications. This vulnerability, which affects versions from 15.0.4-canary.51 to just prior to 15.1.8, introduces a cache poisoning flaw. When this vulnerability is exploited, it may allow an HTTP 204 response to be incorrectly cached for static pages. Consequently, this could result in users receiving the inaccurate response instead of the intended page content. While Vercel's hosting customers are not impacted by this issue, it poses a significant risk for organizations that deploy the affected versions in their environments, potentially disrupting user access and degrading the overall application performance.

Potential impact of CVE-2025-49826

  1. Service Disruption: The primary concern of this vulnerability is the potential for widespread service interruptions. By exploiting the cache poisoning issue, attackers could serve inaccurate HTTP 204 responses to users, leading to confusion and frustration as users are denied access to valid content.

  2. User Experience Degradation: Organizations may face an adverse impact on user experience, as visitors to the affected applications may encounter unexpected behaviors, reducing trust and satisfaction with the web service. This negative experience could result in a loss of user engagement and loyalty.

  3. Increased Maintenance and Support Costs: The presence of this vulnerability may lead to increased operational costs as organizations deal with user complaints, conduct investigations, and implement fixes. They would need to ensure timely updates and patches are applied to mitigate the risks associated with this vulnerability, diverting resources from other critical initiatives.

Affected Version(s)

next.js >= 15.0.4-canary.51, < 15.1.8

News Articles

Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition

A critical security vulnerability identified as CVE-2025-49826 has been discovered in Next.js, the popular React-based web framework.

2 weeks ago

Next.js Vulnerability Allows Attackers to Trigger DoS via Cache Poisoning

A critical vulnerability, tracked as CVE-2025-49826, has been discovered and addressed in the popular React-based web framework, Next.js.

2 weeks ago

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📈

    Vulnerability started trending

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by GBHackers News

  • Vulnerability published

  • Vulnerability Reserved

.