CVE-2026-44572
Denial of Service (DoS) vulnerability in next (npm)

Denial of Service (DoS) No known exploit

What is CVE-2026-44572 About?

This vulnerability in Next.js allows cache poisoning, leading to a Denial of Service for redirect paths when deployed behind caching CDNs/reverse proxies. An external client can send a crafted request with `x-nextjs-data` to trigger an unusable redirect, which then gets cached. This makes it moderately easy to exploit, requiring interaction with a caching proxy.

Affected Software

  • next
    • >=12.2.0, <15.5.16
    • >=16.0.0, <16.2.5

Technical Details

Next.js uses the x-nextjs-data header for internal data requests. In vulnerable versions, an external client could send this header on a normal request to a path handled by middleware that returns a redirect. The middleware/proxy would then treat it as a data request, replacing the standard Location header with x-nextjs-redirect. Since browsers do not follow x-nextjs-redirect, the response becomes an unusable redirect. If the application is deployed behind a CDN or reverse proxy that caches 3xx responses without varying on x-nextjs-data, a single attacker's request can poison the cache, causing subsequent visitors to receive a cached, broken redirect (without a valid Location header), leading to a denial of service for that path.

What is the Impact of CVE-2026-44572?

Successful exploitation may allow attackers to poison cache entries for redirect paths, leading to a denial of service for legitimate users attempting to access those paths until the cache entry expires or is purged.

What is the Exploitability of CVE-2026-44572?

Exploitation requires sending a specifically crafted HTTP request with the x-nextjs-data header to a Next.js application that uses middleware or proxy redirects and is deployed behind a caching CDN or reverse proxy. The caching layer must not vary its cache key on the x-nextjs-data header for 3xx responses. No authentication is typically required for this remote attack. The complexity lies in identifying suitable redirect paths and ensuring the caching infrastructure is vulnerable to this specific cache poisoning technique. The primary risk factor is the misconfiguration of caching proxies in front of Next.js applications.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-44572?

Available Upgrade Options

  • next
    • >=12.2.0, <15.5.16 → Upgrade to 15.5.16
  • next
    • >=16.0.0, <16.2.5 → Upgrade to 16.2.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-44572?

Similar Vulnerabilities: CVE-2023-46802 , CVE-2022-24368 , CVE-2021-39234 , CVE-2020-10189 , CVE-2019-1000008

All Rights reserved 2025
Privacy Policy