The flaw affects versions 15.1.0 up to but not including 15.1.8, and centers on a cache poisoning bug that could lead to a Denial of Service (DoS) for end users.
The vulnerability is triggered under specific conditions: when an affected version of Next.js is used with routes utilizing Incremental Static Regeneration (ISR) in next start or standalone mode, or with Server-Side Rendering (SSR) routes in combination with a CDN configured to cache HTTP 204 responses.
If these conditions are met, a 204 No Content response could be erroneously cached for static pages.
This results in all users attempting to access the page being served a blank 204 response, effectively rendering critical content inaccessible and causing a service blackout for those pages.
The Next.js team responded by removing the problematic code path that allowed 204 responses to be cached and addressed an underlying race condition involving a shared response object in the cache logic.
The fix was released in Next.js version 15.2.0 and also backported to 15.0.4 for users on earlier major versions.
Developers running self-hosted or on-premises deployments of Next.js between versions 15.1.0 and 15.1.7 are urged to upgrade immediately to version 15.2.0 or later.
Those on earlier versions should ensure they are using 15.0.4 or below.
The issue does not impact customers hosted on Vercel’s managed platform.
As an additional precaution, teams should review CDN configurations to prevent caching of unexpected 204 responses, especially when using SSR or ISR with custom cache rules.
The discovery and responsible disclosure of this vulnerability are credited to security researchers Allam Rachid (zhero) and Allam Yasser (inzo_).
The vulnerability received a CVSS score of 7.5, indicating high severity.
This incident underscores the importance of prompt patch management and careful review of caching strategies in modern web applications.
Developers are encouraged to stay vigilant and ensure their frameworks and dependencies are kept up to date to mitigate similar risks in the future.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post Critical Next.js Cache Poisoning Flaw Triggers Denial of Service Attacks appeared first on Cyber Security News.
Mobile Swipe Menu is a vanilla JavaScript library that creates touch-enabled off-canvas side menus for…
tiks is a JavaScript sound effect library that generates iOS-like UI audio feedback at runtime…
LANSING, MI (WOWO) A broad coalition of business groups, housing advocates and environmental organizations is…
LANSING, MI (WOWO) Michigan lawmakers are advancing a series of proposals aimed at reforming the…
A group of unauthorized users has reportedly breached access controls surrounding Claude Mythos Preview, Anthropic’s…
MARSHALL COUNTY, IND. (WOWO) Marshall County commissioners have approved a permanent ban on data centers…
This website uses cookies.