Fluid Attacks Database

Description

A flaw was found in Next.js. An external client could exploit this vulnerability by sending a x-nextjs-data header on a request to a path handled by middleware that returns a redirect. This action could cause the middleware or proxy to incorrectly process the request as a data request, replacing the standard Location redirect header with an internal x-nextjs-redirect header. If the application is deployed behind a caching Content Delivery Network (CDN) or reverse proxy, a malicious request could poison the cached redirect response, leading to a denial of service for subsequent visitors attempting to access the affected path.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	next	>=12.2.0 <15.5.16 \|\| >=16.0.0 <16.2.5	15.5.16, 16.2.5
rpm rhel10	firefox	-	-
rpm rhel7	firefox	-	-
rpm rhel9	firefox	-	-
rpm rhel8	thunderbird	-	-
rpm rhel9	thunderbird	-	-
rpm rhel8	firefox	-	-
rpm rhel10	thunderbird	-	-

Aliases

1. CVE-2026-445722. NVD-2026-445723. OSV-2026-445724. GHSA-3g8h-86w9-wvmq5. GCVE-2026-44572

References

1. https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq2. https://github.com/vercel/next.js/releases/tag/v15.5.163. https://github.com/vercel/next.js/releases/tag/v16.2.5