Race Condition Affecting next package, versions <14.2.24>=15.0.0 <15.1.6
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-NEXT-10176058
- published16 May 2025
- disclosed15 May 2025
- creditAllam Rachid
Introduced: 15 May 2025
NewCVE-2025-32421 (opens in a new tab)How to fix?
Upgrade next to version 14.2.24, 15.1.6 or higher.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Race Condition in the Pages Router. An attacker can cause the server to serve incorrect pageProps data instead of the expected HTML content by exploiting a race condition between two requests, one containing the ?__nextDataRequest=1 query parameter and another with the x-now-route-matches header.
Notes:
This is only exploitable if the CDN provider caches a
200 OKresponse even in the absence of explicitcache-controlheaders, enabling a poisoned response to persist and be served to subsequent users;No backend access or privileged escalation is possible through this vulnerability;
Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on
200 OKstatus without explicitcache-controlheaders.This is a bypass of the fix for CVE-2024-46982
Workaround
This can be mitigated by stripping the x-now-route-matches header from all incoming requests at your CDN and setting cache-control: no-store for all responses under risk.