Denial of Service Vulnerability in Next.js Framework by Vercel

CVE-2024-56332

What is CVE-2024-56332?

CVE-2024-56332 is a Denial of Service (DoS) vulnerability within the Next.js framework, which is widely used for building full-stack web applications with React. This vulnerability affects versions of Next.js prior to 13.5.8, 14.2.21, and 15.1.2, allowing attackers to make requests that hang indefinitely, resulting in potential service disruption. If exploited, organizations risk encountering prolonged unavailability of their applications and could also incur heightened operational costs, especially in environments where hosting fees are tied to resource usage based on function execution times.

Technical Details

The vulnerability arises from how Next.js handles requests to Server Actions. When an attacker sends a constructed request that exploits this flaw, the server may leave the request open until the hosting provider decides to terminate the function execution, creating a prolonged idle state. The server does not consume significant CPU or memory resources during this time, which makes it difficult to detect the malicious activity. Deployments without protective measures against long-running Server Action invocations are particularly at risk. This vulnerability shares similarities with issues arising from invalid Content-Length headers or requests that do not close, and it is most concerning for setups on platforms like Vercel or Netlify that impose limits on execution duration to manage billing risks.

Potential impact of CVE-2024-56332

1. Service Disruption: The primary risk is the potential for significant application downtime, as legitimate user requests may be stalled while malicious requests occupy server resources, leading to a negative user experience and loss of business.

2. Increased Costs: Organizations employing a pricing model based on resource usage could experience inflated billing due to prolonged server resource consumption associated with hanging requests, leading to unexpected operational costs.

3. Enhanced Vulnerability to Abuse: The nature of the vulnerability opens pathways for repeated exploitation, where attackers may continuously trigger hanging requests, thereby leaving the server in a state of denial and affecting overall application availability.

References