MEDIUM · CVSS 5.3
CVE-2024-32421 — Next.js race condition in cached fetch
A race condition in Next.js's cached-fetch implementation could let concurrent requests observe incomplete or mixed responses under high concurrency.
Affects
- Next.js 13.5.0 through 14.1.4
What an attacker does
Under load, simultaneous requests to the same cacheable URL could receive interleaved response chunks, leaking partial data across tenants if the underlying fetch returned tenant-specific content.
How to detect
Check Next.js version.
How to fix
Upgrade Next.js to 14.1.5+.
How Securie catches it
Securie flags vulnerable Next.js versions + audits cacheable fetch call-sites.