Main Vulnerability Database Vulnerabilities #VU130280

Interpretation Conflict in Next.js - #VU130280

Published: May 6, 2026

Vulnerability identifier: #VU130280

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-436

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Next.js

Software vendor:
vercel

Description

The vulnerability allows a remote attacker to cause cache poisoning that results in component payloads being served instead of the expected HTML.

The vulnerability exists due to interpretation conflict in React Server Component response handling when shared caches do not correctly partition response variants. A remote attacker can cause an RSC response to be served from the original URL to cause cache poisoning that results in component payloads being served instead of the expected HTML.

The issue affects applications using React Server Components with shared caches under affected conditions.

Remediation

Install security update from vendor's website.

External links

https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7

Interpretation Conflict in Next.js - #VU130280

Description

Remediation

External links

Please verify you're human