Cyber Resilience

CVE-2024-46982

High

Published: 17 September 2024

Published
17 September 2024
Modified
10 September 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.4906 97.8th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46982 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Vercel Next.Js. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Next.js, the React framework for full-stack web applications, contains a cache-poisoning flaw that affects non-dynamic server-side rendered routes when the pages router is in use. An attacker who sends a specially crafted HTTP request can force the framework to cache a route that should not be cached and to emit a Cache-Control: s-maxage=1, stale-while-revalidate header that some upstream CDNs will also honor. The issue is limited to versions 13.5.1 through 14.2.9; the app router and dynamic routes such as pages/blog/[slug].tsx are unaffected.

Because the attack requires only an unauthenticated network request, any remote adversary can trigger the poisoning. Successful exploitation results in the server or CDN serving incorrect or stale content for the targeted route, producing a high-impact availability condition as reflected in the CVSS 7.5 score and CWE-639 classification.

The official GitHub Security Advisory and the patches merged in commits 7ed7f125e and bd164d53a state that the vulnerability is resolved in Next.js 13.5.7, 14.2.10, and later releases. No official workarounds are recommended; the advisory explicitly advises upgrading regardless of whether the issue can be reproduced in a given deployment. The associated EPSS score reached a peak of 0.5262 and currently stands at 0.4906.

EU & UK References

Vulnerability details

Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router).…

more

When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vercel
next.js
13.5.1 — 13.5.7 · 14.0.0 — 14.2.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References