Skip to main content

Next.js CVE-2026-44582

LOW
Use of Weak Hash (CWE-328)
2026-05-11 https://github.com/vercel/next.js GHSA-vfv6-92ff-j949
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 16:17 vuln.today
Analysis Generated
May 11, 2026 - 16:17 vuln.today
CVE Published
May 11, 2026 - 15:56 nvd
LOW 3.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 23 npm packages depend on next (21 direct, 3 indirect)

Ecosystem-wide dependent count for version 13.4.6.

DescriptionGitHub Advisory

Impact

React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL.

Fix

We strengthened the _rsc cache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cache entries.

Workarounds

If you cannot upgrade immediately, ensure intermediary caches correctly honor Vary for RSC-related request headers, or disable shared caching for affected RSC responses until you can deploy a patched release.

AnalysisAI

Cache poisoning in Next.js React Server Component responses allows attackers to poison shared cache entries through collisions in the _rsc cache-busting mechanism, potentially serving incorrect response variants to users. The vulnerability affects Next.js versions 13.4.6 through 15.5.15 and 16.0.0 through 16.2.4 in deployments using shared caches with insufficient response partitioning. No public exploit code or active exploitation has been identified at time of analysis, though the low CVSS score (3.7) reflects the requirement for specific cache architecture conditions and lack of confidentiality impact.

Technical ContextAI

Next.js uses React Server Components (RSCs) with a cache-busting mechanism employing _rsc query parameters to ensure proper cache segmentation in shared caching layers (CDNs, proxies, etc.). The vulnerability stems from weaknesses in the collision resistance of this cache-busting value, classified under CWE-328 (Use of Insufficiently Random Values). When intermediary caches fail to properly honor HTTP Vary headers for RSC-specific request headers, collisions in the _rsc parameter can cause cache entries to be poisoned, allowing one user's request to serve another user's cached response variant. The vulnerability is specific to applications deploying Next.js in front of shared caching infrastructure (reverse proxies, CDNs) without strict response partitioning.

RemediationAI

Upgrade Next.js to version 15.5.16 or later if running 13.4.6-15.5.15, or upgrade to version 16.2.5 or later if running 16.0.0-16.2.4. These versions contain the strengthened _rsc cache-busting mechanism that significantly reduces collision probability and improves response variant separation. If immediate upgrade is not feasible, implement two compensating controls: (1) configure intermediary caches and CDNs to strictly honor HTTP Vary headers for RSC-related request headers (Accept, Next-Router-Prefetch, etc.), ensuring cache entries are properly partitioned; or (2) disable shared caching for RSC responses at the CDN or proxy layer until patched versions can be deployed. Note that disabling shared caching may impact performance but eliminates the poisoning vector entirely. Patch release information is available at https://github.com/vercel/next.js/releases/tag/v15.5.16 and https://github.com/vercel/next.js/releases/tag/v16.2.5.

Share

CVE-2026-44582 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy