Next.js Cache Poisoning Vulnerability in React Server Components

A cache poisoning vulnerability has been identified in Next.js versions 13.4.6 prior to 15.5.16 and 16.0.0 prior to 16.2.5. This issue affects deployments that use shared caches with inadequate response partitioning, allowing an attacker to manipulate cache entries. As a result, users may receive incorrect response variants for specific URLs. The vulnerability arises from collisions in the '_rsc' cache-busting value, which can be exploited to poison cache responses.

Impact

Exploitation of this vulnerability can lead to cache poisoning, where users receive incorrect response variants for a given URL, disrupting the intended functionality of the application.

Remediation

To address this vulnerability, users should upgrade to Next.js versions 15.5.16 or 16.2.5. If an immediate upgrade is not possible, ensure that intermediary caches properly respect the 'Vary' header for RSC-related request headers, or disable shared caching for affected RSC responses until a patched version can be deployed.