Plattform
nodejs
Komponente
next
Behoben in
15.3.1
15.3.3
CVE-2025-49005 describes a cache poisoning vulnerability discovered in Next.js App Router. This flaw allows malicious RSC (React Server Components) payloads to be incorrectly cached and served in place of expected HTML content, potentially leading to unexpected application behavior or data manipulation. The vulnerability affects versions 15.3.0 through 15.3.2 of Next.js. A fix has been released in Next.js 15.3.3, requiring both an upgrade and redeployment.
The primary impact of CVE-2025-49005 stems from the potential for unauthorized RSC payloads to be served to users. An attacker could craft a malicious RSC payload that, when cached, would be displayed instead of the intended HTML. This could lead to various consequences, including the injection of malicious scripts, redirection to phishing sites, or the display of misleading information. The vulnerability is particularly concerning because it bypasses standard HTML rendering, potentially making it difficult for users to detect the compromise. While the CVSS score is LOW, the potential for subtle and persistent manipulation of application content warrants immediate attention. The specific conditions requiring middleware and redirects to trigger the vulnerability suggest a targeted attack scenario, rather than a widespread, easily exploitable issue.
CVE-2025-49005 was published on July 3, 2025. The vulnerability's impact is considered LOW according to CVSS. There are currently no publicly available exploits or active campaigns targeting this vulnerability. It is not listed on KEV or EPSS. The vulnerability's reliance on specific middleware and redirect configurations suggests a relatively low probability of exploitation in the wild, but diligent patching remains essential.
Organizations using Next.js App Router versions 15.3.0 through 15.3.2 are at risk. This includes developers building server-rendered React applications and those relying on Next.js's caching mechanisms for performance optimization. Applications with complex middleware configurations or extensive use of redirects are particularly vulnerable.
• nodejs / server: Inspect Next.js application logs for unusual caching patterns or errors related to RSC rendering.
grep -i 'rsc' /path/to/nextjs/logs/app.log• nodejs / server: Monitor application performance for unexpected delays or errors that could indicate malicious RSC payloads being served. • generic web: Check response headers for unexpected caching directives or unusual content-types. • generic web: Review application code for any custom middleware or redirect configurations that might be contributing to the vulnerability.
disclosure
Exploit-Status
EPSS
0.13% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The definitive mitigation for CVE-2025-49005 is to upgrade Next.js App Router to version 15.3.3 or later. This updated version includes a fix that prevents the cache poisoning vulnerability. Following the upgrade, it is crucial to redeploy the application to ensure that the new caching behavior is implemented correctly. Prior to upgrading, consider a rollback strategy in case the upgrade introduces unforeseen compatibility issues. Thorough testing in a staging environment is highly recommended. While a temporary workaround is not explicitly provided, ensuring that middleware and redirect configurations are carefully reviewed and validated can help reduce the attack surface. After upgrade, confirm proper caching behavior by manually triggering the affected routes and verifying that the correct HTML content is served.
Actualice Next.js a la versión 15.3.3 o superior. Esto corrige la vulnerabilidad de envenenamiento de caché causada por la omisión del encabezado Vary. La actualización asegura que las respuestas HTML y los payloads de React Server Component (RSC) se manejen correctamente en la caché.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-49005 is a cache poisoning vulnerability in Next.js App Router versions 15.3.0 to 15.3.2, allowing attackers to potentially serve malicious RSC payloads instead of expected HTML.
You are affected if you are using Next.js App Router versions 15.3.0, 15.3.1, or 15.3.2. Upgrade to 15.3.3 or later to resolve the issue.
Upgrade to Next.js version 15.3.3 or later and redeploy your application. This is the only known mitigation.
Currently, there are no reports of active exploitation or publicly available proof-of-concept exploits for CVE-2025-49005.
You can find the official advisory and more details on the Vercel changelog: https://vercel.com/changelog/cve-2025-49005
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.