Next.js vulnerability: Poisoned cache could expose sensitive data
CVE-2024-46982

7.5HIGH

Key Information:

Vendor
Vercel
Status
Next.js
Vendor
CVE Published:
17 September 2024

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 8,030πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2024-46982?

CVE-2024-46982 is a vulnerability in the Next.js framework, which is widely used for building server-side rendered React applications. This vulnerability allows an attacker to poison the cache of certain non-dynamic server-side rendered routes by sending a specifically crafted HTTP request. As a result, sensitive data that should not be cached could inadvertently become accessible, exposing organizations to significant risks, including data breaches and unauthorized access.

Technical Details

The vulnerability affects Next.js versions between 13.5.1 and 14.2.9 that utilize the pages router and non-dynamic server-side rendered routes (e.g., pages/dashboard.tsx). The flaw arises because crafted requests can trick Next.js into applying caching rules, particularly through the use of a Cache-Control: s-maxage=1, stale-while-revalidate header. This behavior could lead upstream content delivery networks (CDNs) to cache sensitive data, further broadening the attack surface. This issue has been resolved in Next.js versions 13.5.7, 14.2.10, and later.

Potential Impact of CVE-2024-46982

  1. Data Exposure: Sensitive information intended for non-caching may become publicly accessible through cached responses, potentially leading to significant data breaches.

  2. Reputation Damage: Organizations may suffer reputational harm if exposed data results in negative publicity or loss of customer trust due to inadequate data protection measures.

  3. Compliance Violations: The compromise of sensitive data can lead to violations of data protection regulations (e.g., GDPR, HIPAA), resulting in potential legal actions and financial penalties for non-compliance.

Affected Version(s)

next.js >= 13.5.1, < 13.5.7 < 13.5.1, 13.5.7

next.js >= 14.0.0, < 14.2.10 < 14.0.0, 14.2.10

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-46982
Created by Lercas

next_js_poisoning
Created by CodePontiff

News Articles

favicon imageCybersecurityNews

Next.js Framework Vulnerability Exposes Websites To Cache Poisoning & XSS Attacks

A critical vulnerability, identified as CVE-2024-46982, has been discovered in the popular Next.js framework, widely used for building full-stack web applications.Β 

1 month ago

References

https://github.com/vercel/next.js/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/vercel/next.js/commit/7ed7f125e07ef051...
x_refsource_MISC
https://github.com/vercel/next.js/commit/bd164d53af259c05...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ“°

    First article discovered by CybersecurityNews

  • πŸ“ˆ

    Vulnerability started trending

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

.