cvelistv5 - cve-2025-32421

CVE-2025-32421 (GCVE-0-2025-32421)

Vulnerability from cvelistv5

Published

2025-05-14 22:56

Modified

2025-05-15 15:42

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Summary

Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.

References

►

URL

Tags

	security-advisories@github.com	https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4
	security-advisories@github.com	https://vercel.com/changelog/cve-2025-32421

Impacted products

	Vendor	Product	Version
	vercel	next.js	Version: < 14.2.24 Version: >= 15.0.0, < 15.1.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32421",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-15T15:40:39.864352Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-15T15:42:26.847Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "next.js",
          "vendor": "vercel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 14.2.24"
            },
            {
              "status": "affected",
              "version": "\u003e= 15.0.0, \u003c 15.1.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel\u0027s platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-362",
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-14T22:56:45.624Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4"
        },
        {
          "name": "https://vercel.com/changelog/cve-2025-32421",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://vercel.com/changelog/cve-2025-32421"
        }
      ],
      "source": {
        "advisory": "GHSA-qpjv-v59x-3qc4",
        "discovery": "UNKNOWN"
      },
      "title": "Next.js Race Condition to Cache Poisoning"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-32421",
    "datePublished": "2025-05-14T22:56:45.624Z",
    "dateReserved": "2025-04-08T10:54:58.366Z",
    "dateUpdated": "2025-05-15T15:42:26.847Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-32421\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-14T23:15:47.870\",\"lastModified\":\"2025-05-16T14:43:26.160\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel\u0027s platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.\"},{\"lang\":\"es\",\"value\":\"Next.js es un framework de React para crear aplicaciones web full-stack. Las versiones anteriores a la 14.2.24 y la 15.1.6 presentan una vulnerabilidad de condici\u00f3n de ejecuci\u00f3n. Este problema solo afecta a Pages Router con ciertas configuraciones incorrectas, lo que provoca que los endpoints normales muestren datos `pageProps` en lugar de HTML est\u00e1ndar. Este problema se solucion\u00f3 en las versiones 15.1.6 y 14.2.24 eliminando el encabezado `x-now-route-matches` de las solicitudes entrantes. Las aplicaciones alojadas en la plataforma Vercel no se ven afectadas, ya que la plataforma no almacena en cach\u00e9 las respuestas bas\u00e1ndose \u00fanicamente en el estado `200 OK` sin encabezados `cache-control` expl\u00edcitos. Quienes alojan implementaciones de Next.js en sus propias instalaciones y no pueden actualizar inmediatamente pueden mitigar esta vulnerabilidad eliminando el encabezado `x-now-route-matches` de todas las solicitudes entrantes en la red de desarrollo de contenido y configurando `cache-control: no-store` para todas las respuestas en riesgo. Los mantenedores de Next.js recomiendan encarecidamente almacenar en cach\u00e9 \u00fanicamente las respuestas con encabezados de control de cach\u00e9 expl\u00edcitos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"references\":[{\"url\":\"https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://vercel.com/changelog/cve-2025-32421\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-32421\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-15T15:40:39.864352Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-15T15:42:22.471Z\"}}], \"cna\": {\"title\": \"Next.js Race Condition to Cache Poisoning\", \"source\": {\"advisory\": \"GHSA-qpjv-v59x-3qc4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"vercel\", \"product\": \"next.js\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 14.2.24\"}, {\"status\": \"affected\", \"version\": \"\u003e= 15.0.0, \u003c 15.1.6\"}]}], \"references\": [{\"url\": \"https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4\", \"name\": \"https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://vercel.com/changelog/cve-2025-32421\", \"name\": \"https://vercel.com/changelog/cve-2025-32421\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel\u0027s platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-362\", \"description\": \"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-14T22:56:45.624Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-32421\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-15T15:42:26.847Z\", \"dateReserved\": \"2025-04-08T10:54:58.366Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-14T22:56:45.624Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-qpjv-v59x-3qc4

Vulnerability from github

Published

2025-05-15 14:12

Modified

2025-05-15 14:12

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

Next.js Race Condition to Cache Poisoning

Details

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.2.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.0"
            },
            {
              "fixed": "15.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-15T14:12:26Z",
    "nvd_published_at": "2025-05-14T23:15:47Z",
    "severity": "LOW"
  },
  "details": "**Summary**  \nWe received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the **Pages Router** under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML.\n\n[Learn more here](https://vercel.com/changelog/cve-2025-32421)\n\n**Credit**  \nThank you to **Allam Rachid (zhero)** for the responsible disclosure. This research was rewarded as part of our bug bounty program.",
  "id": "GHSA-qpjv-v59x-3qc4",
  "modified": "2025-05-15T14:12:26Z",
  "published": "2025-05-15T14:12:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32421"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    },
    {
      "type": "WEB",
      "url": "https://vercel.com/changelog/cve-2025-32421"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Next.js Race Condition to Cache Poisoning"
}

wid-sec-w-2025-1061

Vulnerability from csaf_certbund

Published

2025-05-14 22:00

Modified

2025-05-14 22:00

Summary

Vercel Next.js: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Next.js ist ein Framework für React-basierte Web-Anwendungen.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Vercel Next.js ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "niedrig"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Next.js ist ein Framework f\u00fcr React-basierte Web-Anwendungen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Vercel Next.js ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1061 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1061.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1061 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1061"
      },
      {
        "category": "external",
        "summary": "Vercel GitHub vom 2025-05-14",
        "url": "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4"
      },
      {
        "category": "external",
        "summary": "European Union Vulnerability Database vom 2025-05-14",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2025-14946"
      }
    ],
    "source_lang": "en-US",
    "title": "Vercel Next.js: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2025-05-14T22:00:00.000+00:00",
      "generator": {
        "date": "2025-05-15T10:04:18.514+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-1061",
      "initial_release_date": "2025-05-14T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-05-14T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c15.1.6",
                "product": {
                  "name": "Vercel Next.js \u003c15.1.6",
                  "product_id": "T043795"
                }
              },
              {
                "category": "product_version",
                "name": "15.1.6",
                "product": {
                  "name": "Vercel Next.js 15.1.6",
                  "product_id": "T043795-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vercel:next.js:15.1.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c14.2.24",
                "product": {
                  "name": "Vercel Next.js \u003c14.2.24",
                  "product_id": "T043796"
                }
              },
              {
                "category": "product_version",
                "name": "14.2.24",
                "product": {
                  "name": "Vercel Next.js 14.2.24",
                  "product_id": "T043796-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vercel:next.js:14.2.24"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Next.js"
          }
        ],
        "category": "vendor",
        "name": "Vercel"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-32421",
      "product_status": {
        "known_affected": [
          "T043795",
          "T043796"
        ]
      },
      "release_date": "2025-05-14T22:00:00.000+00:00",
      "title": "CVE-2025-32421"
    }
  ]
}

fkie_cve-2025-32421

Vulnerability from fkie_nvd

Published

2025-05-14 23:15

Modified

2025-05-16 14:43

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

▶	URL	Tags
	security-advisories@github.com	https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4
	security-advisories@github.com	https://vercel.com/changelog/cve-2025-32421

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel\u0027s platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers."
    },
    {
      "lang": "es",
      "value": "Next.js es un framework de React para crear aplicaciones web full-stack. Las versiones anteriores a la 14.2.24 y la 15.1.6 presentan una vulnerabilidad de condici\u00f3n de ejecuci\u00f3n. Este problema solo afecta a Pages Router con ciertas configuraciones incorrectas, lo que provoca que los endpoints normales muestren datos `pageProps` en lugar de HTML est\u00e1ndar. Este problema se solucion\u00f3 en las versiones 15.1.6 y 14.2.24 eliminando el encabezado `x-now-route-matches` de las solicitudes entrantes. Las aplicaciones alojadas en la plataforma Vercel no se ven afectadas, ya que la plataforma no almacena en cach\u00e9 las respuestas bas\u00e1ndose \u00fanicamente en el estado `200 OK` sin encabezados `cache-control` expl\u00edcitos. Quienes alojan implementaciones de Next.js en sus propias instalaciones y no pueden actualizar inmediatamente pueden mitigar esta vulnerabilidad eliminando el encabezado `x-now-route-matches` de todas las solicitudes entrantes en la red de desarrollo de contenido y configurando `cache-control: no-store` para todas las respuestas en riesgo. Los mantenedores de Next.js recomiendan encarecidamente almacenar en cach\u00e9 \u00fanicamente las respuestas con encabezados de control de cach\u00e9 expl\u00edcitos."
    }
  ],
  "id": "CVE-2025-32421",
  "lastModified": "2025-05-16T14:43:26.160",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-14T23:15:47.870",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://vercel.com/changelog/cve-2025-32421"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-32421 (GCVE-0-2025-32421)

Vulnerability from cvelistv5

ghsa-qpjv-v59x-3qc4

Vulnerability from github

wid-sec-w-2025-1061

Vulnerability from csaf_certbund

fkie_cve-2025-32421

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature