Security context
Low· 3.7GHSA-vfv6-92ff-j949 CVE-2026-44582CWE-328Published May 11, 2026

Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

13.4.6 → fixed in 15.5.1616.0.0 → fixed in 16.2.5

Details

### Impact React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the `_rsc` cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. ### Fix We strengthened the `_rsc` cache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cache entries. ### Workarounds If you cannot upgrade immediately, ensure intermediary caches correctly honor `Vary` for RSC-related request headers, or disable shared caching for affected RSC responses until you can deploy a patched release.

The fix

No fix commit could be resolved for this advisory (it may reference an issue tracker or a non-GitHub patch). See the references below.

References