Cold-Try

**Name of the Vulnerable Software and Affected Versions** Next.js versions 15.0.4-canary.51 through 15.1.7 **Description** Next.js is susceptible to a cache poisoning issue that can lead to a Denial of Service (DoS) condition. This flaw allows attackers to manipulate the caching of HTTP responses, potentially serving cached HTTP 204 responses for static pages to all users, rendering the pages inaccessible. The issue impacts self-hosted deployments but does not affect customers hosted on Vercel. **Recommendations** Update to Next.js version 15.1.8 or later.

**Name of the Vulnerable Software and Affected Versions** Next.js versions prior to 14.2.24 and versions 15.0.0 through 15.1.6 **Description** Next.js, a React framework for building full-stack web applications, contains a race-condition issue affecting the Pages Router under specific misconfigurations. This allows normal endpoints to serve `pageProps` data instead of standard HTML. The issue arises from concurrent requests and can lead to cache poisoning. Applications hosted on Vercel's platform are not affected, as they do not cache responses based solely on `200 OK` status without explicit `cache-control` headers. The vulnerability is triggered when two simultaneous requests with the same `cacheKey` (e.g., `/ error-0`) occur, where the first request results in an error and the second receives `pageProps` in text/html format. If `pageProps` contains data from the request (like `User-Agent` or `Cookie`), this can result in Stored Cross-Site Scripting (XSS). The `x-now-route-matches` header plays a role in the vulnerability, and stripping this header from incoming requests can mitigate the issue. **Recommendations** For versions prior to 14.2.24, upgrade to version 14.2.24 or later. For versions 15.0.0 through 15.1.6, upgrade to version 15.1.6 or later. If immediate upgrade is not possible, strip the `x-now-route-matches` header from all incoming requests at the content delivery network. Set `cache-control: no-store` for all responses at risk.

**Name of the Vulnerable Software and Affected Versions** React Router versions 7.2.0 through 7.5.2 **Description** The issue allows an attacker to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application. The vulnerable header is `X-React-Router-SPA-Mode`. **Recommendations** To resolve the issue, update React Router to version 7.5.2 or later. As a temporary workaround, consider disabling the use of the `X-React-Router-SPA-Mode` header in React Router to enhance security. Restrict access to the vulnerable API endpoints to minimize the risk of exploitation. Avoid using the `X-React-Router-SPA-Mode` header in requests to affected pages until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** React Router versions 7.0 through 7.5.1 **Description** The issue allows an attacker to modify pre-rendered data by adding a header to the request, potentially leading to various exploits, including stored XSS. This is possible due to a vulnerability in React Router, which is a router for React. The vulnerability can be exploited by adding a header to the request, allowing an attacker to completely spoof the contents and modify all the values of the data object passed to the HTML. **Recommendations** For React Router versions 7.0 through 7.5.1, update to version 7.5.2 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable module or disabling the ability to add headers to requests until a patch is available. Avoid using the vulnerable versions of React Router until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Next.js versions 1.11.4 through 12.3.4 Next.js versions 12.3.5 through 13.5.8 Next.js versions 13.5.9 through 14.2.24 Next.js versions 14.2.25 through 15.2.2 **Description** An issue in the handling of the `x-middleware-subrequest` header allows remote attackers to bypass authorization checks, session validation, and rate-limiting if these security measures are implemented within the middleware. By sending a specially crafted request containing the `x-middleware-subrequest` header, an attacker can trick the application into treating an unauthenticated request as one that has already passed through the necessary middleware checks. This can lead to unauthorized access to protected resources, such as admin panels and API routes. Additionally, this flaw can be used to bypass Content-Security-Policy (CSP) settings or facilitate Denial-of-Service (DoS) attacks via cache poisoning. Real-world exploitation has been observed by the threat actor group TeamPCP, who used this flaw in their PCPcat campaign to target cloud infrastructures in the e-commerce and finance sectors. **Recommendations** Update Next.js to version 12.3.5. Update Next.js to version 13.5.9. Update Next.js to version 14.2.25. Update Next.js to version 15.2.3. As a temporary workaround, prevent external user requests containing the `x-middleware-subrequest` header from reaching the application.