Listen to this Post
How the CVE Works:
CVE-2025-49826 exploits a flaw in Next.js (versions 15.0.4 to 15.1.8) where improperly handled HTTP 204 responses can be cached by the server. An attacker can send crafted requests that trigger a 204 (No Content) response, which then gets stored in the cache. Subsequent requests for the affected static page receive the cached 204 response instead of the actual content, causing a DoS condition. This disrupts legitimate users from accessing the page, as the server repeatedly serves empty responses.
DailyCVE Form:
Platform: Next.JS
Version: 15.0.4 – 15.1.8
Vulnerability: Cache Poisoning
Severity: High
Date: Jul 3, 2025
Prediction: Patch expected by Jul 17, 2025
What Undercode Say:
Check Next.js version npm list next Verify cache headers curl -I http://target-site.com/static-page Exploit simulation (PoC) curl -X GET -H "Cache-Control: max-age=3600" http://target-site.com/poisoned-path
How Exploit:
- Send crafted requests forcing 204 responses.
- Poison cache for static routes.
- Legitimate users receive empty responses.
Protection from this CVE:
- Upgrade to Next.js >= 15.1.9.
- Disable caching for critical static pages.
- Monitor abnormal 204 responses.
Impact:
- Service disruption for static pages.
- Reduced site availability.
- Potential loss of user trust.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
