CVE-2024-46982

Cache Poisoning in next.js

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

*Credits: N/A

CVSS Scores

GitHubv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-09-16 CVE Reserved
2024-09-17 CVE Published
2024-09-18 CVE Updated
2024-09-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-639: Authorization Bypass Through User-Controlled Key

CAPEC

References (3)

URL	Tag	Source
https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3	X_refsource_misc
https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda	X_refsource_misc
https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vercel Search vendor "Vercel"		Next.js Search vendor "Vercel" for product "Next.js"				>= 13.5.1 < 13.5.7 Search vendor "Vercel" for product "Next.js" and version " >= 13.5.1 < 13.5.7"		en		Affected
Vercel Search vendor "Vercel"		Next.js Search vendor "Vercel" for product "Next.js"				>= 14.0.0 < 14.2.10 Search vendor "Vercel" for product "Next.js" and version " >= 14.0.0 < 14.2.10"		en		Affected