CVE-2025-49005
low-risk
Published 2025-07-03
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. This issue has been resolved in Next.js 15.3.3.
Do I need to act?
-
0.17% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10
Low
NETWORK
/ HIGH complexity
Affected Products (2)
Vercel
Affected Vendors
References (6)
Release Notes
https://github.com/vercel/next.js/releases/tag/v15.3.3
Vendor Advisory
https://vercel.com/changelog/cve-2025-49005
21
/ 100
low-risk
Severity
13/34 · Low
Exploitability
1/34 · Minimal
Exposure
7/34 · Low