CVE-2025-49826: Next.JS vulnerability can lead to DoS via cache poisoning
A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.
Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page
More details: CVE-2025-49826
References
- github.com/advisories/GHSA-67rr-84xm-4c7r
- github.com/vercel/next.js
- github.com/vercel/next.js/commit/16bfce64ef2157f2c1dfedcfdb7771bc63103fd2
- github.com/vercel/next.js/commit/a15b974ed707d63ad4da5b74c1441f5b7b120e93
- github.com/vercel/next.js/security/advisories/GHSA-67rr-84xm-4c7r
- nvd.nist.gov/vuln/detail/CVE-2025-49826
- vercel.com/changelog/cve-2025-49826
Code Behaviors & Features
Detect and mitigate CVE-2025-49826 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →