Описание
A CSRF check bypass flaw has been discovered in Next.js. In the next dev, cross-site protection for internal websocket endpoints could treat Origin: null as a bypass case even if allowedDevOrigins is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured allowedDevOrigins still allow connections from any origin.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 9 | dotnet7.0 | Fix deferred | ||
| Red Hat Enterprise Linux AI (RHEL AI) 3 | rhelai3/bootc-cuda-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux AI (RHEL AI) 3 | rhelai3/bootc-rocm-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux AI (RHEL AI) 3 | rhelai3/disk-image-cuda-rhel9 | Fix deferred | ||
| Red Hat Trusted Artifact Signer | rhtas/rekor-search-ui-rhel9 | Fix deferred | ||
| streams for Apache Kafka 2 | com.github.streamshub-console | Fix deferred | ||
| streams for Apache Kafka 3 | com.github.streamshub-console | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
4.2 Medium
CVSS3
Связанные уязвимости
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy
4.2 Medium
CVSS3