Summary Impact Resolution Workarounds Credit References A cache poisoning vulnerability affecting has been resolved. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys.Next.js App Router >=15.3.0 < 15.3.3 /Vercel CLI 41.4.1–42.2.0 Under specific conditions involving App Router, middleware redirects, and omitted headers, applications may:Vary This issue occurs in environments where middleware rewrites or redirects result in improper cache key separation, because the cache-busting parameter added by the framework is stripped by the user’s redirect.

The issue was resolved in by:Next.js 15.3.3 Customers hosting on Vercel with deployments that used the impacted CLI versions must their applications to receive the fix.redeploy Thanks to and for timely reports and debugging assistance.internal incident response teamsaffected Vercel customers…