Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2025-32421
Summary
The issue affects Next.js. Versions 13.5.1-canary.0 through 13.5.8, 14.0.0 through 14.2.23, 4.3.0-canary.0 through 14.3.0-canary.87 and 15.0.0-rc.0 through 15.2.0-canary.19 have a race-condition vulnerability in the Pages Router under certain misconfigurations, which can cause normal endpoints to serve "pageProps" data instead of standard HTML. This was addressed by stripping the "x-now-route-matches" header from incoming requests. Applications hosted on Vercel are not affected. Self-hosted users should strip this header and set "cache-control: no-store" for vulnerable responses as a mitigation if upgrading is not immediately possible.
- HIGH
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-362 - Race Condition
A race condition occurs in a shared memory program when two threads/processes access the same shared memory data, and at least one thread executes a write operation. This vulnerability manipulates the time to check vs. time to use (TOC/TOU) gap between the threads in the critical section to cause disorientation in the shared data. The impact can vary from compromising the confidentiality of the system to causing the system to crash or to execute arbitrary code.
Advisory Timeline
- Published
