CVE-2025-32421

描述

**Summary** We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the **Pages Router** under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. [Learn more here](https://vercel.com/changelog/cve-2025-32421) **Credit** Thank you to **Allam Rachid (zhero)** for the responsible disclosure. This research was rewarded as part of our bug bounty program.

受影響套件(1)

• npm/next>= 0.9.9, < 14.2.24

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-32421
• PATCHhttps://github.com/vercel/next.js
• WEBhttps://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4
• WEBhttps://vercel.com/changelog/cve-2025-32421