{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-32421", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-08T10:54:58.366Z", "datePublished": "2025-05-14T22:56:45.624Z", "dateUpdated": "2025-05-15T15:42:26.847Z"}, "containers": {"cna": {"title": "Next.js Race Condition to Cache Poisoning", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4"}, {"name": "https://vercel.com/changelog/cve-2025-32421", "tags": ["x_refsource_MISC"], "url": "https://vercel.com/changelog/cve-2025-32421"}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"version": "< 14.2.24", "status": "affected"}, {"version": ">= 15.0.0, < 15.1.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-14T22:56:45.624Z"}, "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers."}], "source": {"advisory": "GHSA-qpjv-v59x-3qc4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-15T15:40:39.864352Z", "id": "CVE-2025-32421", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-15T15:42:26.847Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32421", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-15T15:40:39.864352Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-15T15:42:22.471Z"}}], "cna": {"title": "Next.js Race Condition to Cache Poisoning", "source": {"advisory": "GHSA-qpjv-v59x-3qc4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"status": "affected", "version": "< 14.2.24"}, {"status": "affected", "version": ">= 15.0.0, < 15.1.6"}]}], "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4", "name": "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://vercel.com/changelog/cve-2025-32421", "name": "https://vercel.com/changelog/cve-2025-32421", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-14T22:56:45.624Z"}}}, "cveMetadata": {"cveId": "CVE-2025-32421", "state": "PUBLISHED", "dateUpdated": "2025-05-15T15:42:26.847Z", "dateReserved": "2025-04-08T10:54:58.366Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-14T22:56:45.624Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4053D4E0-5AB3-425D-AFEE-3F99985BE086", "versionEndExcluding": "14.2.24", "vulnerable": true}, {"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BE1D1266-DE52-4805-9133-402B4D0BE947", "versionEndExcluding": "15.1.6", "versionStartIncluding": "15.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers."}, {"lang": "es", "value": "Next.js es un framework de React para crear aplicaciones web full-stack. Las versiones anteriores a la 14.2.24 y la 15.1.6 presentan una vulnerabilidad de condici\u00f3n de ejecuci\u00f3n. Este problema solo afecta a Pages Router con ciertas configuraciones incorrectas, lo que provoca que los endpoints normales muestren datos `pageProps` en lugar de HTML est\u00e1ndar. Este problema se solucion\u00f3 en las versiones 15.1.6 y 14.2.24 eliminando el encabezado `x-now-route-matches` de las solicitudes entrantes. Las aplicaciones alojadas en la plataforma Vercel no se ven afectadas, ya que la plataforma no almacena en cach\u00e9 las respuestas bas\u00e1ndose \u00fanicamente en el estado `200 OK` sin encabezados `cache-control` expl\u00edcitos. Quienes alojan implementaciones de Next.js en sus propias instalaciones y no pueden actualizar inmediatamente pueden mitigar esta vulnerabilidad eliminando el encabezado `x-now-route-matches` de todas las solicitudes entrantes en la red de desarrollo de contenido y configurando `cache-control: no-store` para todas las respuestas en riesgo. Los mantenedores de Next.js recomiendan encarecidamente almacenar en cach\u00e9 \u00fanicamente las respuestas con encabezados de control de cach\u00e9 expl\u00edcitos."}], "id": "CVE-2025-32421", "lastModified": "2025-09-10T15:16:10.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-05-14T23:15:47.870", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://vercel.com/changelog/cve-2025-32421"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "next.js: Next.js Race Condition to Cache Poisoning", "id": "2366366", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366366"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cvss4": {"cvss4_base_score": "1.7", "cvss4_scoring_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "status": "draft"}, "cwe": "CWE-362", "details": ["Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.", "A flaw was found in Next.js. This vulnerability allows an endpoint to serve `pageProps` data instead of standard HTML via a race condition under specific misconfigurations."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-32421", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "dotnet7.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Fix deferred", "package_name": "rhelai1/pathservice-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Fix deferred", "package_name": "rhelai1/ui-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/rekor-search-ui-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Fix deferred", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 2"}], "public_date": "2025-05-14T22:56:45Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-32421\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-32421\nhttps://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4\nhttps://vercel.com/changelog/cve-2025-32421"], "threat_severity": "Low"}

{"created": "2025-07-13T11:06:47.394229+00:00", "updated": "2025-07-13T11:06:47.394282+00:00", "vendors": ["vercel", "vercel$PRODUCT$next.js"]}