CVE-2024-46982 — Next.js cache poisoning via path confusion
A cache-poisoning vulnerability in Next.js App Router let an attacker cause a pageProps JSON response to be cached against an HTML route, returning raw JSON to every subsequent visitor of that URL.
- Next.js 13.5.1 through 14.2.9
What an attacker does
The attacker sends a crafted request to a Next.js App Router route with a manipulated `x-now-route-matches` header. The response — the route's JSON pageProps — is cached by the CDN against the HTML-expecting URL. Every user who visits that URL next sees the JSON blob (including any data not meant for them) rather than the rendered page.
How to detect
Check your Next.js version: `cat package.json | grep '"next"'`. Anything 13.5.1–14.2.8 is vulnerable.
How to fix
Upgrade to Next.js 14.2.10 or 15.x. No code changes required.
Workaround if you cannot upgrade today
If upgrading is blocked, strip the `x-now-route-matches` header at your edge or reverse proxy before the request reaches Next.js.
Securie flags vulnerable Next.js versions in every PR that touches package.json.