DevGuard Logo

/🛡️ DevGuard
Group
/👩‍💻 DevGuard Web
Repository

Overview
Compliance
Code Risks
Dependency Risks
Dependencies

CVE-2025-49005

Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. This issue has been resolved in Next.js 15.3.3.

Fixed
LOW (2.0)
  • logo

    System detected CVE-2025-49005 with a risk of 1.7

    main
  • logo

    System detected CVE-2025-49005 with scanner: sca

    main
  • T

    Tim Bastin fixed CVE-2025-49005

    main
  • S

    Sebastian Kawelke updated the risk assessment from 1.7 to 2.04

    main

    Confidentiality Requirement updated: medium -> high, Integrity Requirement updated: medium -> high, Availability Requirement updated: medium -> high

Reopen this vulnerability

You can reopen this vuln, if you plan to mitigate the risk now, or accepted this vuln by accident.

Last calculated at:

Affected component

Logo von npm next

Installed version:
15.3.2
Fixed in:
15.3.3
Show in dependency graph

Quick Fix

Update all Dependencies
Update only next

Management decisions across the organization

GitHubImprintTerms of UsePrivacy
Copyright © 2025 L3montree GmbH and the DevGuard Contributors. All rights reserved. Version 71cda54d19c6900d5d185b8bc7c11608a8a65bac