NC 25 Nonce values empty in HTML

Server version: Nextcloud 25.0.4

When I load my Nextcloud instance at “cloud.example.com/apps/files
the Developer Tools show that some scripts get blocked because of a CSP:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Source: event.preventDefault()

The reason seems to be that the nonce values inside the HTML are not set to their corresponding value:

I can see in the sent headers that some nonce value is set there:

The NC logs don’t show anything useful

How can I resolve this issue? Where should I start looking?