MEDIUM · CVSS 5.3
CVE-2024-32421 — Next.js race condition in cached fetch
A race condition in Next.js's cached-fetch implementation could let concurrent requests observe incomplete or mixed responses under high concurrency.
Affects
- Next.js 13.5.0 through 14.1.4
What an attacker does
Under load, simultaneous requests to the same cacheable URL could receive interleaved response chunks, leaking partial data across tenants if the underlying fetch returned tenant-specific content.
How to detect
Check Next.js version.
How to fix
Upgrade Next.js to 14.1.5+.
Securie findingmedium · CVSS 5.3
CVE-2024-32421How Securie catches CVE-2024-32421
Securie flags vulnerable Next.js versions + audits cacheable fetch call-sites.
Scan my repo for CVE-2024-32421 →Securie reviews every PR · proves real issues · opens verified fix PRs