CVE-2026-44572

May 13, 2026, 4:58 p.m.

3.7
Low

Description

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.

Product(s) Impacted

Vendor Product Versions
Vercel
  • Next.js
  • 12.2.0-15.5.15, 16.2.5

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-349
Acceptance of Extraneous Untrusted Data With Trusted Data
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a vercel next.js 12.2.0-15.5.15 / / / / / / /
a vercel next.js 16.2.5 / / / / / / /

References

https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq

Tags

[email protected]
CWE-349
2026-05-13
CVE-2026-44572

CVSS Score

3.7 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

    View Vector String

Timeline

Published: May 13, 2026, 4:16 p.m.
Last Modified: May 13, 2026, 4:58 p.m.

Status : Undergoing Analysis

CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.