A low severity cache poisoning vulnerability was discovered in Next.js. Link to heading Summary This affects versions >14.2.24 through <15.1.6 as a bypass of the previous CVE-2024-46982 . The issue happens when an attacker exploits a race condition between two requests — one containing the ?__nextDataRequest=1 query parameter and another with the x-now-route-matches header. Some CDN providers may cache a 200 OK response even in the absence of explicit cache-control headers, enabling a poisoned response to persist and be served to subsequent users. Link to heading Affected Versions Next.js versions >14.2.24 through <15.1.6 Link to heading Impact This vulnerability allows an attacker to poison the CDN cache by injecting the response body from a non-cacheable data request ( ?__nextDataRequest=1 ) into a normal request that retains cacheable headers, such as Cache-Control: public, max-age=300 . No backend access or privileged escalation is possible through this vulnerability.…