Summary Impact Resolution Credit References A vulnerability affecting Next.js has been addressed. It impacted versions and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.>=15.1.0 <15.1.8 This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue required the below conditions to be exploitable: The issue was resolved by removing the problematic code path that would have caused the 204 response to be set.

Additionally, we removed the race condition that could have led to this cache poisoning by no longer relying on a shared response object to populate the Next.js response cache. Thanks to Allam Rachid () and Allam Yasser () for responsible disclosure.zheroinzo_ Read more Using an affected version of Next.js, and; A route using cache revalidation with ISR ( or standalone mode); andnext start A route using SSR, with a CDN configured to cache 204 responses. GHSA-67rr-84xm-4c7r