next 15.3.2
1 security vulnerability
found in version
15.3.2
Next.js has a Cache poisoning vulnerability due to omission of the Vary header
low severity CVE-2025-49005
low severity
CVE-2025-49005
Affected versions:
>= 15.3.0, < 15.3.3
Summary
A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.
Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.
More details: CVE-2025-49005
No license issues detected.
This package version has a license in the source code.
This package version is available.
This package version has not been yanked and is still available for usage.