Next.js Cache Poisoning Vulnerability Leading to Denial-of-Service

A cache poisoning vulnerability has been identified in Next.js, a React framework for full-stack web applications. This issue affects versions 15.0.4-canary.51 prior to 15.1.8. The vulnerability can lead to a denial-of-service condition by allowing a HTTP 204 response to be cached for static pages. As a result, the 204 response could be served to all users accessing the page. This issue does not impact customers hosted on Vercel.

Impact

Exploitation of this vulnerability could cause a denial-of-service condition by serving cached HTTP 204 responses to users accessing affected static pages.

Reproduction

To reproduce this vulnerability, deploy a Next.js application using a version between 15.0.4-canary.51 and prior to 15.1.8. Ensure that the application has a route using cache revalidation with Incremental Static Regeneration (ISR) and a route using Server-Side Rendering (SSR), with a Content Delivery Network (CDN) configured to cache 204 responses. Under these conditions, the vulnerability can be reproduced by accessing the affected static page, which will serve the cached 204 response to the user.

Remediation

Users can upgrade to Next.js version 15.1.8 or later to address this vulnerability.