Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.
Analysis
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.
Technical ContextAI
A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as HTTP Request/Response Smuggling (CWE-444).
RemediationAI
A vendor patch is available — apply it immediately. Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.
React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-202
Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripti
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in min
A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for t
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-19910
GHSA-67rr-84xm-4c7r