Saturday, 5 July

Saturday, 5 July2025

Critical Next.js Cache Poisoning Bug CVE‑2025‑49826 Risks DoS for SSR/ISR Sites

Critical Next.js Cache Poisoning Bug CVE‑2025‑49826 Risks DoS for SSR/ISR Sites

A critical cache poisoning vulnerability (CVE‑2025‑49826) in Next.js 15.1.0–15.1.7 allows attackers to poison CDN caches with blank 204 responses, triggering denial-of-service across SSR/ISR apps under specific revalidation setups. Exploitation requires static regeneration, server-side rendering, and CDN caching of 204s. The issue is patched in Next.js 15.1.8+—developers are urged to upgrade immediately to prevent blank-page DoS attacks.

Subscribe To Our Newsletter.

Full Name
Email