Security context
Low· 3.7GHSA-qpjv-v59x-3qc4 CVE-2025-32421CWE-362Published May 15, 2025

Next.js Race Condition to Cache Poisoning

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0.9.9 → fixed in 14.2.2415.0.0 → fixed in 15.1.6

Details

**Summary** We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the **Pages Router** under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. [Learn more here](https://vercel.com/changelog/cve-2025-32421) **Credit** Thank you to **Allam Rachid (zhero)** for the responsible disclosure. This research was rewarded as part of our bug bounty program.

The fix

No fix commit could be resolved for this advisory (it may reference an issue tracker or a non-GitHub patch). See the references below.

References