Next.js DoS Vulnerability
The vulnerability stems from a cache poisoning bug that manipulates the frameworkβs response caching mechanism, specifically targeting HTTP 204 responses in static page rendering.
Under specific conditions, the flaw allows malicious actors to poison the cache with empty responses, causing legitimate users to receive blank pages instead of proper content.
For the vulnerability to be exploitable, three critical conditions must be met simultaneously: deployment of an affected Next.js version (>=15.1.0 <15.1.8), utilization of Incremental Static Regeneration (ISR) with cache revalidation in production mode (next start or standalone deployment), and implementation of Server-Side Rendering (SSR) with a Content Delivery Network (CDN) configured to cache 204 responses.
The attack vector exploits a race condition in Next.jsβs shared response object mechanism, where the framework incorrectly processes and caches HTTP 204 status codes.
When successfully executed, this cache poisoning technique results in persistent DoS conditions, as the cached empty response gets served to all subsequent users attempting to access the affected static pages.
The vulnerabilityβs impact is particularly severe for high-traffic applications relying on ISR for performance optimization.
| Risk Factors | Details |
| Affected Products | Next.js versions β₯15.1.0 <15.1.8 |
| Impact | Cache poisoning leading to Denial of Service (DoS) condition |
| Exploit Prerequisites | 1. Using affected Next.js version (β₯15.1.0 <15.1.8)2. Route using cache revalidation with ISR (next start or standalone mode)3. Route using SSR with CDN configured to cache 204 responses |
| CVSS 3.1 Score | 7.5 (High) |
Remediation & Patch Availability >>>
The Next.js development team has addressed the vulnerability through comprehensive code modifications targeting the root cause of the cache poisoning mechanism.
The primary fix involved removing the problematic code path responsible for setting incorrect 204 responses in the static page rendering pipeline.
Additionally, developers eliminated the race condition by restructuring the response caching architecture to no longer rely on shared response objects for populating the Next.js response cache.
Security experts recommend immediate migration to Next.js version 15.1.8 or later, which includes the complete resolution for CVE-2025-49826.
Organizations using affected versions should prioritize updating their dependencies and conducting thorough testing of their ISR and SSR implementations.
Notably, applications hosted on Vercelβs platform remain unaffected due to the platformβs infrastructure design that prevents this specific attack vector.
Development teams should implement comprehensive security monitoring for their Next.js applications, particularly focusing on cache behavior anomalies and unexpected 204 response patterns that could indicate ongoing exploitation attempts.