CVE-2025-32421

Next.js Race Condition to Cache Poisoning

Severity Score

3.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-04-08 CVE Reserved
2025-05-14 CVE Published
2025-05-15 CVE Updated
2025-05-26 First Exploit
2025-06-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (3)

URL	Tag	Source
https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4	X_refsource_confirm
https://vercel.com/changelog/cve-2025-32421	X_refsource_misc

URL	Date	SRC
https://github.com/zeroc00I/CVE-2025-32421	2025-05-26

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vercel Search vendor "Vercel"		Next.js Search vendor "Vercel" for product "Next.js"				< 14.2.24 Search vendor "Vercel" for product "Next.js" and version " < 14.2.24"		en		Affected
Vercel Search vendor "Vercel"		Next.js Search vendor "Vercel" for product "Next.js"				>= 15.0.0 < 15.1.6 Search vendor "Vercel" for product "Next.js" and version " >= 15.0.0 < 15.1.6"		en		Affected