Description
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.
Published: 2026-05-13
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Next.js allows middleware to return redirects. If an attacker sends a request containing the x-nextjs-data header, the middleware treats the request as a data request and substitutes the normal Location header with an internal x-nextjs-redirect header. Browsers ignore the x-nextjs-redirect header, so the redirect becomes unusable. This vulnerability, classified as CWE-349, effectively breaks the redirect mechanism for legitimate requests.

Affected Systems

The issue afflicts vercel:next.js from version 12.2.0 up to, but not including, 15.5.16 and 16.2.5. Upgrading to version 15.5.16 or 16.2.5—or any newer release—removes the flaw.

Risk and Exploitability

With a CVSS score of 3.7, the vulnerability is of low severity. The server side error can be triggered by any external client who can craft a request with the x-nextjs-data header; no authentication is required. An attacker can poison cached 3xx responses on a CDN or reverse proxy that does not vary on this header, causing downstream visitors to receive a redirect lacking a Location header until the cache expires or is purged. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 13, 2026 at 18:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next.js to version 15.5.16 or 16.2.5, or any newer release, to apply the patch.
  • Clear or purge any cached 3xx redirect responses for the affected paths in your CDN or reverse proxy.
  • Configure your CDN or reverse proxy to vary caching on the x-nextjs-data header or block that header to prevent future cache‑poisoning attempts.

Generated by OpenCVE AI on May 13, 2026 at 18:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3g8h-86w9-wvmq Next.js's Middleware / Proxy redirects can be cache-poisoned
History

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.
Title Next.js: Middleware / Proxy redirects can be cache-poisoned
Weaknesses CWE-349
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:33:10.541Z

Reserved: 2026-05-06T21:49:12.424Z

Link: CVE-2026-44572

cve-icon Vulnrichment

Updated: 2026-05-14T15:33:04.651Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:58.800

Modified: 2026-05-13T16:58:40.557

Link: CVE-2026-44572

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:45:36Z

Weaknesses