Next.js and Vercel CLI Cache Poisoning Vulnerability

A cache poisoning vulnerability has been identified in Next.js App Router versions 15.3.0 prior to 15.3.3, as well as in Vercel CLI versions 41.4.1 through 42.2.0. This vulnerability allows page requests for HTML content to instead return a React Server Component (RSC) payload, under certain conditions involving middleware redirects. When deployed on Vercel, the issue only affects the browser cache and does not poison the CDN. However, when self-hosted and deployed externally, it could lead to cache poisoning if the CDN does not properly differentiate between RSC and HTML in the cache keys.

Impact

Exploiting this vulnerability could result in serving RSC payloads instead of HTML, caching these incorrect responses, and causing broken or incorrect content to be displayed in the browser.

Reproduction

The vulnerability can be reproduced by deploying a Next.js application with the App Router to Vercel using an affected version of the Vercel CLI. After deployment, the application can be accessed in Google Chrome, where the RSC response will be cached and served instead of the expected HTML content. This issue can also be reproduced by self-hosting the application and deploying it externally, under the same version conditions.

Remediation

Users should upgrade to Next.js version 15.3.3 and Vercel CLI version 42.2.0. After upgrading, Next.js applications must be redeployed to ensure proper caching behavior. For applications that cannot be immediately upgraded, a workaround is to manually add the Vary header on RSC responses to differentiate between RSC and HTML payloads.