GHSA-qpjv-v59x-3qc4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qpjv-v59x-3qc4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-qpjv-v59x-3qc4/GHSA-qpjv-v59x-3qc4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qpjv-v59x-3qc4
- Aliases
-
- CVE-2025-32421
- Published
- 2025-05-15T14:12:26Z
- Modified
- 2025-05-15T14:44:36.485809Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Next.js Race Condition to Cache Poisoning
- Details
-
Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to servepagePropsdata instead of standard HTML.Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2025-05-15T14:12:26Z", "cwe_ids": [ "CWE-362" ], "severity": "LOW", "nvd_published_at": "2025-05-14T23:15:47Z" }- References
Affected packages
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next