Thursday, April 10, 2025
HomeCyber AttackCritical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS...

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

Published on

SIEM as a Service

Follow Us on Google News

A new report has put the spotlight on potential security vulnerabilities within the popular open-source framework Next.js, demonstrating how improper caching mechanisms can lead to critical server-side cache poisoning attacks.

Developed by Vercel, Next.js remains a cornerstone for building server-rendered React applications; however, its popularity has also made it a lucrative target for threat actors.

The research, which culminated in significant bug bounty rewards, outlines novel exploitation techniques and underscores the importance of patching affected versions to mitigate potential damage.

- Advertisement - Google News

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Cache Poisoning via SSR and SSG

The report highlights vulnerabilities in two primary Next.js functions: getStaticProps (SSG) and getServerSideProps (SSR).

SSG is designed to pre-render static pages at build time, enabling public caching with directives such as s-maxage=31536000, stale-while-revalidate.

In contrast, SSR dynamically fetches and transmits data during requests, typically disabling caching with headers like private, no-cache, no-store.

The researcher discovered that by manipulating certain headers (e.g., x-now-route-matches) or internal URL parameters (__nextDataReq), it was possible to misclassify SSR requests as SSG.

This misclassification forces dynamic data to be cached improperly, opening the door for cache poisoning attacks.

Denial-of-Service (DoS) via Cache Poisoning

By exploiting caching misconfigurations, attackers can inject poisoned responses into a cache shared by all users.

For example, two requests for https://example.com/ and https://example.com/?__nextDataReq=1 could serve the same cached response if URL parameters are not part of the cache key.

An attacker can manipulate the cache to serve JSON data instead of standard HTML, resulting in a Denial-of-Service (DoS).

The research also demonstrates how a poisoned cache can lead to stored XSS vulnerabilities.

Cache Poisoning
Stored XSS on Next.js

If a reflected value, such as a user-agent string, is injected into a cached response, it becomes possible to execute malicious scripts whenever users access the affected endpoint.

One example payload revealed an attacker embedding <img src=x onerror=alert('exploit')> in the cache, triggering a persistent XSS attack across all users accessing the endpoint.

This discovery highlights a severe impact on platform availability, confidentiality, and integrity, especially for sensitive systems like e-commerce or cryptocurrency exchanges.

The researcher identified a critical vulnerability, later cataloged as CVE-2024-46982, leveraging the stale-while-revalidate directive to poison caches.

Although the vulnerability primarily affected versions of Next.js between 13.5.1 and 14.2.9, deployments hosted on Vercel or using the newer app router architecture were unaffected.

The Vercel team released a patch addressing the issue, alongside a security advisory urging developers to apply updates immediately.

Next.js, with over six million weekly downloads, remains a foundational JavaScript framework for countless applications worldwide.

This investigation into cache poisoning exploits highlights the importance of rigorous security mechanisms and regular updates.

Beyond the technical implications, the findings showcase the role of bug bounty programs in uncovering and addressing vulnerabilities proactively.

The research emphasizes the potential for high-impact vulnerabilities, including Denial-of-Service (DoS) and Stored XSS, when cache mechanisms are improperly configured.

Developers leveraging Next.js are strongly advised to patch their frameworks and adopt a defensive approach to caching.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Shuckworm Group Leverages GammaSteel Malware in Targeted PowerShell Attacks

The Russia-linked cyber-espionage group known as Shuckworm (also identified as Gamaredon or Armageddon) has...

ViperSoftX Malware Spreads Through Cracked Software, Targeting Unsuspecting Users

AhnLab Security Intelligence Center (ASEC) has unearthed a complex cyber campaign in which attackers,...

The State of AI Malware and Defenses Against It

AI has recently been added to the list of things that keep cybersecurity leaders...

Rogue Account‑Creation Flaw Leaves 100 K WordPress Sites Exposed

A severe vulnerability has been uncovered in the SureTriggers WordPress plugin, which could leave...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Rogue Account‑Creation Flaw Leaves 100 K WordPress Sites Exposed

A severe vulnerability has been uncovered in the SureTriggers WordPress plugin, which could leave...

A Seven‑Year‑Old Cisco Flaw Now Lets Hackers Execute Code Remotely on Network Gear

A Cisco’s Smart Install protocol (CVE-2018-0171), first patched in 2018, remains a pervasive threat...

Sapphire Werewolf Upgrades Arsenal With Amethyst Stealer Targeting Energy Firms

Sapphire Werewolf has introduced a potent new weapon into its cyber arsenal, unveiling the...