CVE-2025-32421: Next.js Race Condition to Cache Poisoning

May 15, 2025

Summary We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

References

github.com/advisories/GHSA-qpjv-v59x-3qc4
github.com/vercel/next.js
github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4
nvd.nist.gov/vuln/detail/CVE-2025-32421
vercel.com/changelog/cve-2025-32421

Code Behaviors & Features

Detect and mitigate CVE-2025-32421 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →