Next.js CVE-2026-44582
LOWSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 23 npm packages depend on next (21 direct, 3 indirect)
Ecosystem-wide dependent count for version 13.4.6.
DescriptionGitHub Advisory
Impact
React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL.
Fix
We strengthened the _rsc cache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cache entries.
Workarounds
If you cannot upgrade immediately, ensure intermediary caches correctly honor Vary for RSC-related request headers, or disable shared caching for affected RSC responses until you can deploy a patched release.
AnalysisAI
Cache poisoning in Next.js React Server Component responses allows attackers to poison shared cache entries through collisions in the _rsc cache-busting mechanism, potentially serving incorrect response variants to users. The vulnerability affects Next.js versions 13.4.6 through 15.5.15 and 16.0.0 through 16.2.4 in deployments using shared caches with insufficient response partitioning. No public exploit code or active exploitation has been identified at time of analysis, though the low CVSS score (3.7) reflects the requirement for specific cache architecture conditions and lack of confidentiality impact.
Technical ContextAI
Next.js uses React Server Components (RSCs) with a cache-busting mechanism employing _rsc query parameters to ensure proper cache segmentation in shared caching layers (CDNs, proxies, etc.). The vulnerability stems from weaknesses in the collision resistance of this cache-busting value, classified under CWE-328 (Use of Insufficiently Random Values). When intermediary caches fail to properly honor HTTP Vary headers for RSC-specific request headers, collisions in the _rsc parameter can cause cache entries to be poisoned, allowing one user's request to serve another user's cached response variant. The vulnerability is specific to applications deploying Next.js in front of shared caching infrastructure (reverse proxies, CDNs) without strict response partitioning.
RemediationAI
Upgrade Next.js to version 15.5.16 or later if running 13.4.6-15.5.15, or upgrade to version 16.2.5 or later if running 16.0.0-16.2.4. These versions contain the strengthened _rsc cache-busting mechanism that significantly reduces collision probability and improves response variant separation. If immediate upgrade is not feasible, implement two compensating controls: (1) configure intermediary caches and CDNs to strictly honor HTTP Vary headers for RSC-related request headers (Accept, Next-Router-Prefetch, etc.), ensuring cache entries are properly partitioned; or (2) disable shared caching for RSC responses at the CDN or proxy layer until patched versions can be deployed. Note that disabling shared caching may impact performance but eliminates the poisoning vector entirely. Patch release information is available at https://github.com/vercel/next.js/releases/tag/v15.5.16 and https://github.com/vercel/next.js/releases/tag/v16.2.5.
Same weakness CWE-328 – Use of Weak Hash
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-vfv6-92ff-j949