CVE-2026-44572

Name of the Vulnerable Software and Affected Versions Next.js versions 12.2.0 through 15.5.15 Next.js versions 16.0.0 through 16.2.4

Description An external client can send an x-nextjs-data header on a request to a path handled by middleware that returns a redirect. This causes the middleware or proxy to treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Since browsers do not follow x-nextjs-redirect, the response becomes an unusable redirect. If the application is deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single request can poison the cached redirect response. This results in a denial of service for that redirect path for subsequent visitors until the cache entry expires or is purged.

Recommendations Update to version 15.5.16. Update to version 16.2.5. Configure the CDN or reverse proxy to vary its cache key on x-nextjs-data for affected responses.