SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-49826

CVE-2025-49826: Vercel Next.js Cache Poisoning DOS Flaw

CVE-2025-49826 is a cache poisoning flaw in Vercel Next.js that enables Denial of Service attacks by caching HTTP 204 responses for static pages. This article covers technical details, affected versions, and mitigation strategies.

Updated:

CVE-2025-49826 Overview

Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.

Critical Impact

High severity cache poisoning that may lead to Denial of Service (DoS).

Affected Products

  • Vercel Next.js 15.0.4-canary.51
  • Vercel Next.js 15.0.4-canary.52
  • Any version before 15.1.8

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to Vercel
  • Not Available - CVE CVE-2025-49826 assigned
  • Not Available - Vercel releases security patch
  • 2025-07-03 - CVE CVE-2025-49826 published to NVD
  • 2025-09-10 - Last updated in NVD database

Technical Details for CVE-2025-49826

Vulnerability Analysis

The vulnerability involves cache poisoning which may cause a Denial of Service (DoS) by serving HTTP 204 responses incorrectly cached for static pages. This can result in legitimate users being unable to access affected web applications.

Root Cause

Improper cache handling allowed HTTP 204 responses to be erroneously cached and served for static pages.

Attack Vector

The attack can be initiated over the Network, targeting the caching mechanism of Next.js applications served from affected versions.

javascript
// Example code snippet for educational purposes
fetch('https://example.com/static-page', {
  method: 'GET',
  cache: 'no-store'
})
  .then(response => {
    if (response.status === 204) {
      console.error('Unexpected cached 204 response');
    }
  });

Detection Methods for CVE-2025-49826

Indicators of Compromise

  • Increased logs of HTTP 204 responses for static pages
  • User complaints of inaccessible static content
  • Anomalies in cache hit rates

Detection Strategies

Utilize web server logs to identify patterns of HTTP 204 status responses from static pages and correlate with access reports to detect cache-related anomalies.

Monitoring Recommendations

Implement monitoring for abnormal HTTP status codes and increased cache miss rates in application performance monitoring tools.

How to Mitigate CVE-2025-49826

Immediate Actions Required

  • Upgrade to Next.js version 15.1.8 or later
  • Review current caching configurations
  • Implement HTTP caching headers properly

Patch Information

The issue has been resolved in Next.js version 15.1.8. Info about the patch can be found in the Vercel Changelog.

Workarounds

If immediate patching is not feasible, consider disabling caching for static pages by modifying web server or CDN settings.

bash
# Example configuration snippet for Apache
<FilesMatch ".*">
  Header set Cache-Control "no-store, no-cache, must-revalidate"
</FilesMatch>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne