CVE-2025-32421— Next.js Race Condition to Cache Poisoning
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-32421
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Next.js Race Condition to Cache Poisoning
Source: NVD (National Vulnerability Database)
Vulnerability Description
Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用共享资源的并发执行不恰当同步问题(竞争条件)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Next.js 竞争条件问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Next.js是Vercel开源的一个 React 框架。 Next.js 14.2.24之前版本和15.1.6之前版本存在竞争条件问题漏洞,该漏洞源于竞争条件,可能导致数据泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-32421
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Comprehensive demonstration of CVE-2025-32421 Eclipse technique - a sophisticated race condition attack against Next.js 15.0.4 that bypasses the original CVE-2024-46982 patch. | https://github.com/hidesec/CVE-2025-32421 | POC Details |
| 2 | PoC Lab for CVE-2025-32421 – Next.js Race Condition Cache Poisoning Simulation | https://github.com/Delfaster/CVE-2025-32421---Race-Condition-Vulnerability---Next.js | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-32421
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: next.js
- CVE-2026-29057
Next.js: HTTP request smuggling in rewrites - CVE-2026-27980
Next.js: Unbounded next/image disk cache growth can exhaust - CVE-2026-27979
Next.js: Unbounded postponed resume buffering can lead to Do - CVE-2026-27978
Next.js: null origin can bypass Server Actions CSRF checks - CVE-2026-27977
Next.js: null origin can bypass dev HMR websocket CSRF check
Same vendor: vercel
- CVE-2026-29057
Next.js: HTTP request smuggling in rewrites - CVE-2026-27980
Next.js: Unbounded next/image disk cache growth can exhaust - CVE-2026-27979
Next.js: Unbounded postponed resume buffering can lead to Do - CVE-2026-27978
Next.js: null origin can bypass Server Actions CSRF checks - CVE-2026-27977
Next.js: null origin can bypass dev HMR websocket CSRF check
V. Comments for CVE-2025-32421
No comments yet