Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Key Takeaways
1. Next.js versions 15.1.0-15.1.8 have a cache poisoning bug causing DoS attacks through blank page delivery.
2. Needs affected Next.js version + ISR with cache revalidation + SSR with CDN caching 204 responses.
3. Race condition allows HTTP 204 responses to be cached for static pages, serving empty content to all users.
4. Update to Next.js 15.1.8+ immediately - the vulnerability is fully patched.
A critical security vulnerability identified as CVE-2025-49826 has been discovered in Next.js, the popular React-based web framework, allowing attackers to exploit cache poisoning mechanisms to trigger Denial of Service (DoS) conditions.
The vulnerability, reported by security researchers Allam Rachid (zhero) and Allam Yasser (inzo_), affects Next.js versions ranging from 15.1.0 to 15.1.8, prompting immediate security updates from the development team.
Next.js DoS Vulnerability
The vulnerability stems from a cache poisoning bug that manipulates the framework’s response caching mechanism, specifically targeting HTTP 204 responses in static page rendering.
Under specific conditions, the flaw allows malicious actors to poison the cache with empty responses, causing legitimate users to receive blank pages instead of proper content.
For the vulnerability to be exploitable, three critical conditions must be met simultaneously: deployment of an affected Next.js version (>=15.1.0
#Cyber_Security #Cyber_Security_News #Dos_attack #Next.js #Vulnerability #cyber_security_news
Оригинальная версия на сайте:
Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition
Author: Guru BaranKey Takeaways
1. Next.js versions 15.1.0-15.1.8 have a cache poisoning bug causing DoS attacks through blank page delivery.
2. Needs affected Next.js version + ISR with cache revalidation + SSR with CDN caching 204 responses.
3. Race condition allows HTTP 204 responses to be cached for static pages, serving empty content to all users.
4. Update to Next.js 15.1.8+ immediately - the vulnerability is fully patched.
A critical security vulnerability identified as CVE-2025-49826 has been discovered in Next.js, the popular React-based web framework, allowing attackers to exploit cache poisoning mechanisms to trigger Denial of Service (DoS) conditions.
The vulnerability, reported by security researchers Allam Rachid (zhero) and Allam Yasser (inzo_), affects Next.js versions ranging from 15.1.0 to 15.1.8, prompting immediate security updates from the development team.
Next.js DoS Vulnerability
The vulnerability stems from a cache poisoning bug that manipulates the framework’s response caching mechanism, specifically targeting HTTP 204 responses in static page rendering.
Under specific conditions, the flaw allows malicious actors to poison the cache with empty responses, causing legitimate users to receive blank pages instead of proper content.
For the vulnerability to be exploitable, three critical conditions must be met simultaneously: deployment of an affected Next.js version (>=15.1.0
#Cyber_Security #Cyber_Security_News #Dos_attack #Next.js #Vulnerability #cyber_security_news
Оригинальная версия на сайте:
