Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-32421
CVE-2025-32421:
ASP.NET Core vulnerability analysis and mitigation
Overview
Next.js, a React framework for building full-stack web applications, was found to contain a race-condition vulnerability in versions prior to 14.2.24 and 15.1.6. The vulnerability was discovered and disclosed on May 14, 2025, affecting the Pages Router under specific misconfigurations. The issue has been assigned a CVSS v3.1 Base Score of 3.7 (Low) (NVD, Vercel Changelog).
Technical details
The vulnerability occurs when an attacker exploits a race condition between two requests — one containing the ?__nextDataRequest=1 query parameter and another with the x-now-route-matches header, causing normal endpoints to serve pageProps data instead of standard HTML. The vulnerability is classified with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with high attack complexity and no required privileges or user interaction (GitHub Advisory, Vercel Changelog).
Impact
The vulnerability allows an attacker to poison the CDN cache by injecting the response body from a non-cacheable data request into a normal request that retains cacheable headers. Some CDN providers may cache a 200 OK response even without explicit cache-control headers, enabling a poisoned response to persist and be served to subsequent users. However, no backend access or privileged escalation is possible through this vulnerability (Vercel Changelog).
Mitigation and workarounds
The issue was patched in versions 15.1.6 and 14.2.24 by stripping the x-now-route-matches header from incoming requests. Applications hosted on Vercel's platform are not affected as the platform does not cache responses based solely on 200 OK status without explicit cache-control headers. For self-hosted deployments unable to upgrade immediately, mitigation options include stripping the x-now-route-matches header from all incoming requests at the CDN and setting cache-control: no-store for all responses under risk (NVD, Vercel Changelog).
Community reactions
The vulnerability was responsibly disclosed by Allam Rachid (zhero) and was rewarded as part of Vercel's bug bounty program. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers (GitHub Advisory, Vercel Changelog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management