CVE-2025-49005: 
NixOS vulnerability analysis and mitigation

Next.js, a React framework for building full-stack web applications, disclosed a cache poisoning vulnerability (CVE-2025-49005) affecting versions 15.3.0 to 15.3.3 and Vercel CLI versions 41.4.1 to 42.2.0. The vulnerability was discovered on July 3, 2025, and allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions (Vercel Changelog, GitHub Advisory).

The vulnerability stems from improper cache key separation when middleware rewrites or redirects are involved, resulting in the cache-busting parameter being stripped by user redirects. The issue has a CVSS v3.1 score of 3.7 (Low) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N. The technical root cause involved the omission of proper Vary headers to distinguish between different content types, specifically between RSC and HTML responses (GitHub Advisory).

When deployed on Vercel, the vulnerability only affected browser caches without poisoning the CDN. However, in self-hosted and externally deployed environments, the issue could lead to cache poisoning if the CDN failed to properly distinguish between RSC and HTML content in cache keys. This could result in serving RSC payloads instead of HTML, leading to broken or incorrect client content (Vercel Changelog).

The issue was patched in Next.js version 15.3.3 by ensuring proper Vary header implementation to distinguish between different content types. For users unable to upgrade immediately, workarounds include manually adding the Vary header (Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch) on RSC responses or applying unique cache-busting search parameters to middleware redirect destinations. Customers hosting on Vercel with affected CLI versions must redeploy their applications to implement the fix (Vercel Changelog).

The vulnerability received attention from the development community, as evidenced by GitHub issue discussions and the quick response from the Next.js team. The fix was implemented and released promptly, with the community actively participating in testing and verification of the patch (GitHub Issue).