“`Key Takeaways1. Next.js versions 15.1.0-15.1.8 have a cache poisoning bug causing DoS attacks through blank page delivery.2. Needs affected Next.js version + ISR with cache revalidation + SSR with CDN caching 204 responses.3. Race condition allows HTTP 204 responses to be cached for static pages, serving empty content to all users.4. Update to Next.js 15.1.8+ immediately – the vulnerability is fully patched.“`A critical security vulnerability identified as CVE-2025-49826 has been discovered in Next.js, the popular React-based web framework, allowing attackers to exploit cache poisoning mechanisms to trigger Denial of Service (DoS) conditions.The vulnerability, reported by security researchers Allam Rachid (zhero) and Allam Yasser (inzo_), affects Next.js versions ranging from 15.1.0 to 15.1.8, prompting immediate security updates from the development team.**Next.js DoS Vulnerability**—————————–The vulnerability stems from a [cache poisoning](https://cybersecuritynews.com/react-router-vulnerability-exposes-web-apps/) bug that manipulates the framework’s response caching mechanism, specifically targeting HTTP 204 responses in static page rendering.Under specific conditions, the flaw allows malicious actors to poison the cache with empty responses, causing legitimate users to receive blank pages instead of proper content.For the vulnerability to be exploitable, three critical conditions must be met simultaneously: deployment of an affected Next.js version (->=15.1.0 -=15.1.0 -=15.1.0 – [**Try ANY.RUN now**](https://any.run/demo?utm_source=csn&utm_medium=article&utm_campaign=braodo_stealer&utm_content=demo_1&utm_term=250625)The post [Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition](https://cybersecuritynews.com/next-js-cache-poisoning-vulnerability/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
Topic: Vulnerability
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 516 – Broadcasting And Content Providers
NAICS: 51 – Information
Blog: Cybersecurity News
Proxy: Domain Fronting
Proxy
Associated Indicators: