Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN417
_____________________________________________________________________

DATE                : 04/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Next.js versions
                              prior to 15.3.3.

=====================================================================
https://github.com/vercel/next.js/security/advisories/GHSA-67rr-84xm-4c7r
https://github.com/vercel/next.js/security/advisories/GHSA-r2fc-ccr8-96c4
_____________________________________________________________________


DoS via cache poisoning
High
ztanner published GHSA-67rr-84xm-4c7r Jul 3, 2025

Package
next (npm)

Affected versions
>15.0.4 and <15.2.0

Patched versions
≤15.0.4 and ≥15.2.0


Description

Summary

A vulnerability affecting Next.js has been addressed. It impacted
versions >=15.1.0 <15.1.8 and involved a cache poisoning bug leading
to a Denial of Service (DoS) condition.

More details: CVE-2025-49826


Credits

    Allam Rachid zhero;
    Allam Yasser (inzo)

Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2025-49826

Weaknesses
No CWEs


Credits

    @cold-try cold-try Finder

_____________________________________________________________________


Cache poisoning due to omission of Vary header
Low
ztanner published GHSA-r2fc-ccr8-96c4 Jul 3, 2025

Package
next (npm)

Affected versions
>= 15.3.0 < 15.3.3

Patched versions
15.3.3


Description

Summary

A cache poisoning issue in Next.js App Router >=15.3.0 < 15.3.3 may have
allowed RSC payloads to be cached and served in place of HTML, under
specific conditions involving middleware and redirects. This issue has
been fixed in Next.js 15.3.3.

Users on affected versions should upgrade immediately and redeploy to
ensure proper caching behavior.

More details: CVE-2025-49005


Severity
Low
3.7/ 10
CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE ID
CVE-2025-49005

Weaknesses
No CWEs


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================