Listen to this Post
How the CVE Works
CVE-2025-49005 exploits Next.js’s caching mechanism by omitting the `Vary` header in HTTP responses. When middleware and redirects are involved, the lack of proper header differentiation allows maliciously crafted RSC (React Server Components) payloads to be cached instead of legitimate HTML responses. Attackers can manipulate cache keys to serve poisoned content to users, leading to potential XSS, data leaks, or unauthorized actions. The vulnerability specifically affects Next.js App Router versions 15.3.0 to 15.3.2 due to improper cache-key generation.
DailyCVE Form
Platform: Next.js
Version: 15.3.0 – 15.3.2
Vulnerability: Cache Poisoning
Severity: Critical
Date: 2025-07-03
Prediction: Patch expected 2025-07-10
What Undercode Say
curl -I http://vulnerable-nextjs-site.com grep -r "Vary" ./node_modules/next/dist next --version
How Exploit
1. Craft malicious RSC payload.
2. Trigger middleware redirect.
3. Poison cache via omitted `Vary`.
4. Serve malicious cache to users.
Protection from this CVE
- Upgrade to Next.js 15.3.3+.
- Manually enforce `Vary` headers.
- Disable caching in middleware.
Impact
- Stored XSS attacks.
- Unauthorized data exposure.
- Cache deception.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
