CVE-2025-32421 is a race condition vulnerability identified in the Next.js framework, which is widely used for building full-stack web applications. Specifically, this vulnerability impacts versions prior to 14.2.24 and 15.1.6 of Next.js. It manifests under certain misconfigurations in the Pages Router, allowing normal endpoints to unintentionally expose pageProps data instead of returning standard HTML responses. When improperly configured, this can lead to sensitive data exposure, affecting end-user privacy and security. The vulnerability's negative impact on organizations could include unauthorized access to application-specific data, loss of integrity in web application responses, and potential compliance violations regarding data protection regulations. The problem was addressed in subsequent versions by removing the x-now-route-matches header from incoming requests.
https://securityvulnerability.io/vulner ... 2025-32421