Authorization Bypass Vulnerability in Next.js Framework
CVE-2024-51479

Currently unrated

Key Information:

Vendor
Vercel
Vendor
CVE Published:
17 December 2024

Badges

πŸ“ˆ Score: 906πŸ‘Ύ Exploit Exists🟣 EPSS 40%πŸ“° News Worthy

What is CVE-2024-51479?

CVE-2024-51479 is a severe authorization bypass vulnerability affecting the Next.js framework, a popular tool used for building full-stack web applications. This vulnerability arises when an application utilizes middleware for authorization checks based solely on the URL path. Attackers can exploit this flaw to bypass the intended authorization mechanisms for certain pages directly under an application's root directory, compromising security protocols and potentially allowing unauthorized access to sensitive information and functionality.

Technical Details

This vulnerability specifically targets certain versions of Next.js where authorization checks are incorrectly implemented in the middleware. The flaw manifests when a path such as https://example.com/foo can be accessed without the necessary authentication, while deeper nested routes like https://example.com/foo/bar are unaffected. The issue has been addressed in Next.js version 14.2.15 and later. For users hosting their Next.js applications on Vercel, mitigations have been automatically applied, regardless of the version being used.

Potential Impact of CVE-2024-51479

  1. Unauthorized Access: The primary risk is the potential for unauthorized users to access restricted content or functionalities, which could result in data leaks and exploitation of sensitive features of the application.

  2. Data Breaches: Organizations may find themselves vulnerable to data breaches as attackers exploit the authorization bypass, leading to exposure of confidential information and possibly resulting in compliance violations and reputational harm.

  3. Increased Attack Surface: As the vulnerability enables easier circumvention of security measures, organizations face an increased likelihood of subsequent attacks, including data manipulation, credential theft, and further exploitation techniques, potentially leading to larger security incidents.

News Articles

favicon imageCybersecurityNews

Next.js Authorization Bypass Vulnerability Exposes Root-Level Pages

A critical security vulnerability tracked as CVE-2024-51479 has been identified in Next.js, a widely used React framework for building web applications.

favicon imageGBHackers News

Next.js Vulnerability Let Attackers Bypass Authentication

A high-severity vulnerability has been discovered in the popular web framework, Next.js, which allows attackers to bypass authentication.

References

https://github.com/vercel/next.js/releases/tag/v14.2.15
https://github.com/vercel/next.js/security/advisories/GHS...

EPSS Score

40% chance of being exploited in the next 30 days.

Timeline

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by GBHackers News

  • Vulnerability published

.