Next.js Cache Poisoning Vulnerability in React Server Components

A cache poisoning vulnerability has been identified in Next.js versions 14.2.0 prior to 15.5.16 and 16.0.0 prior to 16.2.5, specifically in applications using React Server Components. The issue arises when shared caches fail to properly partition response variants, allowing an attacker to manipulate cache entries. This manipulation can result in subsequent users receiving component payloads instead of the expected HTML. The vulnerability is rooted in inconsistent validation and interpretation of RSC request headers, which can lead to unintended cache behavior.

Impact

Exploitation of this vulnerability allows for cache poisoning, where shared cache entries are manipulated to serve incorrect component payloads to users, disrupting the expected application behavior.

Remediation

Users can upgrade to Next.js versions 15.5.16 or 16.2.5 to address this vulnerability. If an immediate upgrade is not possible, it is recommended to ensure that the CDN or reverse proxy respects the relevant RSC request headers and the 'Vary' header, or to disable shared caching for affected App Router and RSC responses.