Summary
A cache poisoning vulnerability affecting Next.js App Router >=15.3.0 < 15.3.3 / Vercel CLI 41.4.1–42.2.0 has been resolved. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys.
Impact
Under specific conditions involving App Router, middleware redirects, and omitted
Vary headers, applications may:
Serve RSC payloads in place of HTML
Cache these responses at the browser or CDN layer
Display broken or incorrect client content
This issue occurs in environments where middleware rewrites or redirects result in improper cache key separation, because the cache-busting parameter added by the framework is stripped by the user’s redirect.
Resolution
The issue was resolved in Next.js 15.3.3 by:
Ensuring theVaryheader is correctly set to distinguish between different content types
Customers hosting on Vercel with deployments that used the impacted CLI versions must redeploy their applications to receive the fix.
Workarounds
Manually add the Vary header on RSC responses to differentiate between RSC and HTML payloads. Specifically,Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch.
Apply a unique cache-busting search parameter to the middleware redirect destination
Credit
Thanks to internal incident response teams and affected Vercel customers for timely reports and debugging assistance.
References
Read more
Continue reading...