Main Vulnerability Database Vulnerabilities #VU112181

Input validation error in Next.js - CVE-2025-49826

Published: July 4, 2025

Vulnerability identifier: #VU112181

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-49826

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: vercel

Affected software:
Next.js

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in the application code that can lead to caching of HTTP 204 response and serving it for static pages. A remote attacker can poison the web application cache and perform a denial of service attack.

How to mitigate CVE-2025-49826

Install updates from vendor's website.

Sources

https://github.com/vercel/next.js/commit/a15b974ed707d63ad4da5b74c1441f5b7b120e93
https://github.com/vercel/next.js/releases/tag/v15.1.8
https://github.com/vercel/next.js/security/advisories/GHSA-67rr-84xm-4c7r
https://vercel.com/changelog/cve-2025-49826

Input validation error in Next.js - CVE-2025-49826

Detailed vulnerability description

How to mitigate CVE-2025-49826

Sources

Please verify you're human