Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-gp8f-8m3g-qvj9

Опубликовано: 17 сент. 2024
Источник: github
Github: Прошло ревью
CVSS4: 8.7
CVSS3: 7.5

Описание

Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

  • Next.js between 13.5.1 and 14.2.9
  • Using pages router
  • Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

  • Deployments using only app router
  • Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

  • Allam Rachid (zhero_)
  • Henry Chen

Ссылки

Пакеты

Наименование

next

npm
Затронутые версииВерсия исправления

>= 13.5.1, < 13.5.7

13.5.7

Наименование

next

npm
Затронутые версииВерсия исправления

>= 14.0.0, < 14.2.10

14.2.10

EPSS

Процентиль: 98%
0.52473
Средний

8.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-46982

Дефекты

CWE-349
CWE-639

Связанные уязвимости

nvd логотип

CVE-2024-46982

CVSS3: 7.5
nvd
9 месяцев назад

Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

fstec логотип

BDU:2024-07780

CVSS3: 7.5
fstec
9 месяцев назад

Уязвимость программной платформы создания веб-приложений Next.js, связанная с обходом авторизации посредством использования ключа, контролируемого пользователем, позволяющая нарушителю раскрыть защищаемую информацию

EPSS

Процентиль: 98%
0.52473
Средний

8.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-46982

Дефекты

CWE-349
CWE-639