CVE-2024-46982
Published: 17 September 2024
Summary
CVE-2024-46982 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Vercel Next.Js. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Next.js, the React framework for full-stack web applications, contains a cache-poisoning flaw that affects non-dynamic server-side rendered routes when the pages router is in use. An attacker who sends a specially crafted HTTP request can force the framework to cache a route that should not be cached and to emit a Cache-Control: s-maxage=1, stale-while-revalidate header that some upstream CDNs will also honor. The issue is limited to versions 13.5.1 through 14.2.9; the app router and dynamic routes such as pages/blog/[slug].tsx are unaffected.
Because the attack requires only an unauthenticated network request, any remote adversary can trigger the poisoning. Successful exploitation results in the server or CDN serving incorrect or stale content for the targeted route, producing a high-impact availability condition as reflected in the CVSS 7.5 score and CWE-639 classification.
The official GitHub Security Advisory and the patches merged in commits 7ed7f125e and bd164d53a state that the vulnerability is resolved in Next.js 13.5.7, 14.2.10, and later releases. No official workarounds are recommended; the advisory explicitly advises upgrading regardless of whether the issue can be reproduced in a given deployment. The associated EPSS score reached a peak of 0.5262 and currently stands at 0.4906.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2803
Vulnerability details
Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router).…
more
When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.