CVE-2025-49005

Name of the Vulnerable Software and Affected Versions: Next.js versions 15.3.0 through 15.3.2 Vercel CLI versions 41.4.1 through 42.1.0

Description: A cache poisoning issue was found in Next.js App Router and Vercel CLI, allowing page requests for HTML content to return a React Server Component (RSC) payload under certain conditions. When deployed to Vercel, this issue only impacts the browser cache and does not lead to CDN poisoning. However, when self-hosted and deployed externally, it could lead to cache poisoning if the CDN does not properly distinguish between RSC and HTML in the cache keys.

Recommendations: For Next.js versions 15.3.0 through 15.3.2, upgrade to Next.js 15.3.3. For Vercel CLI versions 41.4.1 through 42.1.0, upgrade to Vercel CLI 42.2.0 and redeploy.