CVE-2025-32421

Name of the Vulnerable Software and Affected Versions Next.js versions prior to 14.2.24 and versions 15.0.0 through 15.1.6

Description Next.js, a React framework for building full-stack web applications, contains a race-condition issue affecting the Pages Router under specific misconfigurations. This allows normal endpoints to serve pageProps data instead of standard HTML. The issue arises from concurrent requests and can lead to cache poisoning. Applications hosted on Vercel's platform are not affected, as they do not cache responses based solely on 200 OK status without explicit cache-control headers. The vulnerability is triggered when two simultaneous requests with the same cacheKey (e.g., / error-0) occur, where the first request results in an error and the second receives pageProps in text/html format. If pageProps contains data from the request (like User-Agent or Cookie), this can result in Stored Cross-Site Scripting (XSS). The x-now-route-matches header plays a role in the vulnerability, and stripping this header from incoming requests can mitigate the issue.

Recommendations For versions prior to 14.2.24, upgrade to version 14.2.24 or later. For versions 15.0.0 through 15.1.6, upgrade to version 15.1.6 or later. If immediate upgrade is not possible, strip the x-now-route-matches header from all incoming requests at the content delivery network. Set cache-control: no-store for all responses at risk.