Next.js Cache Poisoning Vulnerability in Middleware Redirects

A denial-of-service vulnerability has been identified in Next.js versions 12.2.0 prior to 15.5.16 and 16.0.0 prior to 16.2.5. The issue arises when an external client sends a request with the 'x-nextjs-data' header to a path managed by middleware that performs redirects. In such cases, the middleware may misinterpret the request as a data request and substitute the standard 'Location' header with the internal 'x-nextjs-redirect' header, which browsers do not recognize. If the application is behind a CDN or reverse proxy that caches 3xx responses without considering this header, an attacker could poison the cached redirect response. This would result in subsequent visitors receiving a redirect response lacking a 'Location' header, causing a denial-of-service condition on that redirect path until the cache entry expired or was cleared.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition on affected redirect paths, causing responses to lack the necessary 'Location' header for proper redirection.

Remediation

Users can upgrade to Next.js versions 15.5.16 or 16.2.5 to address this vulnerability. Before upgrading, it is recommended to configure the CDN or reverse proxy to vary its cache key on 'x-nextjs-data' for affected responses.