Link to heading Summary A cache poisoning vulnerability affecting Next.js App Router >=15.3.0 < 15.3.3 / Vercel CLI 41.4.1–42.2.0 has been resolved. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. Link to heading Impact Under specific conditions involving App Router, middleware redirects, and omitted Vary headers, applications may: Serve RSC payloads in place of HTML Cache these responses at the browser or CDN layer Display broken or incorrect client content This issue occurs in environments where middleware rewrites or redirects result in improper cache key separation, because the cache-busting parameter added by the framework is stripped by the user’s…