Skip to main content

Next.js CVE-2025-32421

LOW
Race Condition (CWE-362)
2025-05-14 security-advisories@github.com
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 28, 2026 - 18:41 vuln.today
CVE Published
May 14, 2025 - 23:15 nvd
LOW 3.7

DescriptionGitHub Advisory

Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the x-now-route-matches header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on 200 OK status without explicit cache-control headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the x-now-route-matches header from all incoming requests at the content development network and setting cache-control: no-store for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.

AnalysisAI

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-362. Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the x-now-route-matches header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on 200 OK status without explicit cache-control headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the x-now-route-matches header from all incoming requests at the content development network and setting cache-control: no-store for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers. Affected products include: Vercel Next.Js. Version information: prior to 14.2.24.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-29927 CRITICAL POC
9.1 Mar 21

Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subreques

CVE-2017-16877 HIGH POC
7.5 Nov 17

ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to

CVE-2025-57822 MEDIUM POC
6.5 Aug 29

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.5), this vulnerabil

CVE-2025-6087 CRITICAL
9.1 Jun 16

A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected sy

CVE-2026-41248 CRITICAL
9.1 Apr 24

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c

CVE-2025-48947 HIGH
7.7 Jun 04

A security vulnerability in Next.js applications. In Auth0 Next.js SDK (CVSS 7.7). High severity vulnerability requiring

CVE-2025-30218 LOW
1.7 Apr 02

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 1.7), this vulnerability

CVE-2025-57752 MEDIUM
6.2 Aug 29

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.2), this vulnerabil

CVE-2025-55173 MEDIUM
4.3 Aug 29

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 4.3), this vulnerabil

CVE-2025-48068 LOW
2.3 May 30

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 2.3), this vulnerability

CVE-2024-56332 MEDIUM
5.3 Jan 03

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 5.3), this vulnerabil

Share

CVE-2025-32421 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy