#VU112179 Input validation error in Next.js - CVE-2025-49005
Published: July 4, 2025
Vulnerability identifier: #VU112179
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2025-49005
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Next.js
Next.js
Software vendor:
vercel
vercel
Description
The vulnerability allows a remote attacker to perform a cache poisoning attack.
The vulnerability exists due to omission of Vary HTTP header when creating cache data in App Router. A remote attacker can force the application to cache RSC payloads and serve them in place of HTML code under specific conditions involving middleware and redirects.
Remediation
Install updates from vendor's website.
External links
- https://github.com/vercel/next.js/commit/ec202eccf05820b60c6126d6411fe16766ecc066
- https://github.com/vercel/next.js/issues/79346
- https://github.com/vercel/next.js/releases/tag/v15.3.3
- https://github.com/vercel/next.js/security/advisories/GHSA-r2fc-ccr8-96c4
- https://vercel.com/changelog/cve-2025-49005