Description
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.
Published: 2026-05-13
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Next.js allows middleware to return redirects. If an attacker sends a request containing the x-nextjs-data header, the middleware treats the request as a data request and substitutes the normal Location header with an internal x-nextjs-redirect header. Browsers ignore the x-nextjs-redirect header, so the redirect becomes unusable. This vulnerability, classified as CWE-349 and CWE-444, effectively breaks the redirect mechanism for legitimate requests.

Affected Systems

The issue afflicts vercel:next.js from version 12.2.0 up to, but not including, 15.5.16 and 16.2.5. Upgrading to version 15.5.16 or 16.2.5—or any newer release—removes the flaw.

Risk and Exploitability

With a CVSS score of 3.7, the vulnerability is of low severity. The server side error can be triggered by any external client who can craft a request with the x-nextjs-data header; no authentication is required. An attacker can poison cached 3xx responses on a CDN or reverse proxy that does not vary on this header, causing downstream visitors to receive a redirect lacking a Location header until the cache expires or is purged. The EPSS score of 8e-05 indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 25, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next.js to version 15.5.16 or 16.2.5, or any newer release, to apply the patch.
  • Clear or purge any cached 3xx redirect responses for the affected paths in your CDN or reverse proxy.
  • Configure your CDN or reverse proxy to vary caching on the x-nextjs-data header or block that header to prevent future cache‑poisoning attempts.

Generated by OpenCVE AI on May 25, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3g8h-86w9-wvmq Next.js's Middleware / Proxy redirects can be cache-poisoned
History

Mon, 25 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-444
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 15 May 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.
Title Next.js: Middleware / Proxy redirects can be cache-poisoned
Weaknesses CWE-349
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:33:10.541Z

Reserved: 2026-05-06T21:49:12.424Z

Link: CVE-2026-44572

cve-icon Vulnrichment

Updated: 2026-05-14T15:33:04.651Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:16:58.800

Modified: 2026-05-15T15:46:08.980

Link: CVE-2026-44572

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-13T15:57:15Z

Links: CVE-2026-44572 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T14:00:17Z

Weaknesses
  • CWE-349

    Acceptance of Extraneous Untrusted Data With Trusted Data

  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')