Platform
nodejs
Component
next
Fixed in
15.3.1
15.3.3
CVE-2025-49005 describes a cache poisoning vulnerability affecting Next.js App Router versions 15.3.0 through 15.3.2. This allows attackers to potentially cache and serve RSC (React Server Components) payloads in place of expected HTML content, impacting application functionality. The vulnerability has been resolved in Next.js 15.3.3, and users are strongly advised to upgrade and redeploy.
The core impact of CVE-2025-49005 lies in the potential for malicious RSC payloads to be served to users. This could lead to various consequences, including the injection of arbitrary JavaScript code, the display of misleading content, or even the complete hijacking of user sessions. The vulnerability arises from a specific interaction between middleware and redirects within the App Router, allowing an attacker to manipulate the caching mechanism. While the CVSS score is LOW, the potential for subtle and persistent manipulation of application behavior warrants immediate attention.
CVE-2025-49005 was publicly disclosed on July 3, 2025, with a corresponding advisory released by Vercel. There are currently no publicly available proof-of-concept exploits. The vulnerability's impact is considered LOW based on the CVSS score, and it has not been added to the CISA KEV catalog. Active exploitation campaigns are not currently reported.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49005 is to upgrade to Next.js version 15.3.3 or later. This version includes a fix that prevents the cache poisoning condition. After upgrading, it is crucial to redeploy the application to ensure that the new caching behavior is enforced. There are no known configuration workarounds or WAF rules that can effectively address this vulnerability without upgrading. Verify the upgrade by inspecting application caching behavior after redeployment, ensuring that RSC payloads are served as intended and not manipulated.
Upgrade Next.js to version 15.3.3 or higher. This corrects the cache poisoning vulnerability caused by the omission of the Vary header. The upgrade ensures that HTML responses and React Server Component (RSC) payloads are handled correctly in the cache.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49005 is a cache poisoning vulnerability in Next.js App Router versions 15.3.0 to 15.3.2, allowing attackers to potentially serve malicious RSC payloads instead of expected HTML.
You are affected if you are using Next.js App Router versions 15.3.0, 15.3.1, or 15.3.2. Upgrade to 15.3.3 or later to resolve the issue.
Upgrade to Next.js version 15.3.3 or later and redeploy your application. This is the only known mitigation.
Currently, there are no reports of active exploitation or publicly available proof-of-concept exploits for CVE-2025-49005.
You can find the official advisory and more details on the Vercel changelog: https://vercel.com/changelog/cve-2025-49005
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.