CVE-2025-49005

Exploit

EPSS 0.05%
Veröffentlicht 03.07.2025 21:01:14
Zuletzt bearbeitet 10.09.2025 19:14:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. This issue has been resolved in Next.js 15.3.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vercel ≫ Next.Js SwPlatformnode.js Version >= 15.3.0 < 15.3.3

Vercel ≫ Vercel Version >= 41.4.1 < 42.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.135

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://github.com/vercel/next.js/security/advisories/GHSA-r2fc-ccr8-96c4

Vendor Advisory

https://github.com/vercel/next.js/issues/79346

Exploit

Issue Tracking

https://github.com/vercel/next.js/commit/ec202eccf05820b60c6126d6411fe16766ecc066

Patch

https://github.com/vercel/next.js/releases/tag/v15.3.3

Release Notes

https://vercel.com/changelog/cve-2025-49005

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-49005

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-49005

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-49005

EUVD