Vulnerability Description
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. This issue has been resolved in Next.js 15.3.3.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vercel | Next.Js | >= 15.3.0, < 15.3.3 |
| Vercel | Vercel | >= 41.4.1, < 42.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/vercel/next.js/commit/ec202eccf05820b60c6126d6411fe16766ecc06Patch
- https://github.com/vercel/next.js/issues/79346ExploitIssue Tracking
- https://github.com/vercel/next.js/releases/tag/v15.3.3Release Notes
- https://github.com/vercel/next.js/security/advisories/GHSA-r2fc-ccr8-96c4Vendor Advisory
- https://vercel.com/changelog/cve-2025-49005Vendor Advisory
- https://github.com/vercel/next.js/issues/79346ExploitIssue Tracking
FAQ
What is CVE-2025-49005?
CVE-2025-49005 is a vulnerability with a CVSS score of 3.7 (LOW). Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was foun...
How severe is CVE-2025-49005?
CVE-2025-49005 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-49005?
Check the references section above for vendor advisories and patch information. Affected products include: Vercel Next.Js, Vercel Vercel.