Henry Chen

**Name of the Vulnerable Software and Affected Versions** Next.js versions 13.5.1 through 14.2.9 **Description** The issue allows an attacker to poison the cache of a non-dynamic server-side rendered route in the pages router by sending a crafted HTTP request. This could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header, which some upstream CDNs may also cache. To be potentially affected, all of the following must apply: using Next.js between versions 13.5.1 and 14.2.9, using the pages router, and using non-dynamic server-side rendered routes. **Recommendations** Next.js versions 13.5.1 through 14.2.9: Upgrade to version 13.5.7, 14.2.10, or later. As a temporary workaround, consider restricting access to non-dynamic server-side rendered routes until a patch is available. Avoid using the `Cache-Control: s-maxage=1, stale-while-revalidate` header in the affected API endpoint until the issue is resolved.