CVE-2025-49005: Next.js has a Cache poisoning vulnerability due to omission of the Vary header

July 3, 2025

A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.

Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.

More details: CVE-2025-49005

References

github.com/advisories/GHSA-r2fc-ccr8-96c4
github.com/vercel/next.js
github.com/vercel/next.js/pull/79939
github.com/vercel/next.js/releases/tag/v15.3.3
github.com/vercel/next.js/security/advisories/GHSA-r2fc-ccr8-96c4
nvd.nist.gov/vuln/detail/CVE-2025-49005
vercel.com/changelog/cve-2025-49005

Code Behaviors & Features

Detect and mitigate CVE-2025-49005 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →