15 matches found
CVE-2026-44582
A flaw was found in Next.js. React Server Component responses are vulnerable to cache poisoning in deployments that use shared caches without proper response partitioning. An attacker can exploit collisions in the rsc cache-busting value to poison cache entries. This allows users to receive...
CVE-2026-44582 Next.js: Cache poisoning via collisions in React Server Component cache-busting
Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions,...
CVE-2026-44582 Next.js: Cache poisoning via collisions in React Server Component cache-busting
Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions,...
CVE-2026-44582
Next.js (React Server Components) versions 13.4.6–before 15.5.16 and 16.2.5 are vulnerable to cache poisoning in deployments using shared caches with insufficient response partitioning. The issue stems from collisions in the _rsc cache-busting value, which can cause an attacker to serve a poisone...
Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting
Impact React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the rsc cache-busting value can allow an attacker to poison cache entries so users receive the wron...
GHSA-VFV6-92FF-J949 Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting
Impact React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the rsc cache-busting value can allow an attacker to poison cache entries so users receive the wron...
Exploit for Deserialization of Untrusted Data in Facebook React
CVE-202...
Linux Distros Unpatched Vulnerability : CVE-2025-49005
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, ...
Cache Poisoning
Next.js is vulnerable to cache poisoning. The vulnerability is due to HTML page requests returning a React Server Component RSC payload under certain conditions, which allows an attacker to poison the cache if the CDN does not correctly differentiate between RSC and HTML content...
CVE-2025-49005
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component RSC payloa...
CVE-2025-49005
Next.js CVE-2025-49005 affects Next.js App Router (versions 15.3.0 to before 15.3.3) and Vercel CLI (41.4.1 to 42.2.0). A cache poisoning vulnerability could cause HTML requests to return a React Server Component payload under certain conditions. When deployed on Vercel, impact is limited to the ...
CVE-2025-49005 Next.js cache poisoning due to omission of Vary header
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component RSC payloa...
CVE-2025-49005 Next.js cache poisoning due to omission of Vary header
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component RSC payloa...
CVE-2025-49005 Next.js cache poisoning due to omission of Vary header
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component RSC payloa...
PT-2025-27835
Name of the Vulnerable Software and Affected Versions: Next.js versions 15.3.0 through 15.3.2 Vercel CLI versions 41.4.1 through 42.1.0 Description: A cache poisoning issue was found in Next.js App Router and Vercel CLI, allowing page requests for HTML content to return a React Server Component R...