GHSA-vfv6-92ff-j949
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vfv6-92ff-j949
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-vfv6-92ff-j949/GHSA-vfv6-92ff-j949.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vfv6-92ff-j949
- Aliases
-
- CVE-2026-44582
- Related
- Published
- 2026-05-11T15:56:48Z
- Modified
- 2026-05-13T03:44:30.349688884Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting
- Details
-
Impact
React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the
_rsccache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL.Fix
We strengthened the
_rsccache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cache entries.Workarounds
If you cannot upgrade immediately, ensure intermediary caches correctly honor
Varyfor RSC-related request headers, or disable shared caching for affected RSC responses until you can deploy a patched release. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-11T15:56:48Z", "cwe_ids": [ "CWE-328" ], "severity": "LOW", "nvd_published_at": null }- References
Affected packages
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next