Fluid Attacks Database

Description

A flaw was found in Next.js, a React framework for building web applications. This vulnerability, related to cache poisoning, affects applications utilizing React Server Components (RSC) when shared caches fail to properly partition response variants. A remote attacker can exploit this by causing an RSC response to be served from its original URL, thereby poisoning shared cache entries. As a result, subsequent visitors may receive unexpected component payloads instead of the intended HTML content.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	next	>=14.2.0 <15.5.16 \|\| >=16.0.0 <16.2.5	15.5.16, 16.2.5
rpm rhel10	firefox	-	-
rpm rhel7	firefox	-	-
rpm rhel9	firefox	-	-
rpm rhel10	thunderbird	-	-
rpm rhel8	thunderbird	-	-
rpm rhel9	thunderbird	-	-
rpm rhel8	firefox	-	-

Aliases

1. CVE-2026-445762. NVD-2026-445763. OSV-2026-445764. GHSA-wfc6-r584-vfw75. GCVE-2026-44576

References

1. https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw72. https://github.com/vercel/next.js/releases/tag/v15.5.163. https://github.com/vercel/next.js/releases/tag/v16.2.5