Description
Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5.
Published: 2026-05-13
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Next.js, a widely used React framework, can expose its React Server Component responses to cache poisoning when the internal _rsc cache‑busting value is not properly partitioned. This flaw is categorized as CWE‑328 and CWE‑354, reflecting insecure cache key management and input validation weaknesses that allow a malicious entity to insert a false response into a shared cache. An attacker can craft a request that collides with an existing cache entry, causing a shared cache to store a malicious or altered response. Subsequent users accessing that URL would receive the wrong server‑generated content, potentially misleading or compromising them.

Affected Systems

The vulnerability targets the Vercel distributions of Next.js. All releases from 13.4.6 up to but excluding 15.5.16 and 16.2.5 are affected. Versions newer than 15.5.16 or 16.2.5 contain the fix for this flaw.

Risk and Exploitability

The CVSS score is 3.7, indicating low severity. The EPSS score of 0.009% suggests a very low exploitation probability. The issue is not listed in the CISA KEV catalog. This weakness corresponds to CWE‑328 and CWE‑354, indicating insecure cache key management and input validation can be exploited. Based on the description, an unauthenticated attacker can trigger a collision by sending requests that include a manipulated _rsc token against a deployment that utilizes a shared cache without proper response partitioning. When these conditions are met, the attacker can poison the cache so that end users receive incorrect server‑generated content.

Generated by OpenCVE AI on June 3, 2026 at 04:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next.js to version 15.5.16, 16.2.5 or newer, which contains the fix.
  • Configure the reverse proxy or CDN to disable shared caching for routes that render React Server Components or implement response partitioning based on the _rsc value, thereby mitigating CWE‑328.
  • Test the deployment by sending a crafted request with a manipulated _rsc token to confirm that the shared cache does not store colliding entries, and monitor cache logs for anomalous entries.
  • Review and enforce cache key hygiene in the application, ensuring that cache keys are unique and not susceptible to collision attacks, to address the core CWE‑328 weakness.

Generated by OpenCVE AI on June 3, 2026 at 04:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vfv6-92ff-j949 Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting
History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-354
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 13 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5.
Title Next.js: Cache poisoning via collisions in React Server Component cache-busting
Weaknesses CWE-328
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:23:52.729Z

Reserved: 2026-05-06T21:49:12.425Z

Link: CVE-2026-44582

cve-icon Vulnrichment

Updated: 2026-05-14T18:23:49.610Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T18:16:19.037

Modified: 2026-05-14T18:15:03.260

Link: CVE-2026-44582

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-13T17:08:22Z

Links: CVE-2026-44582 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T05:00:12Z

Weaknesses