CVE-2024-46982

moderate-risk
Published 2024-09-17

Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Do I need to act?

!
49.1% chance of exploitation in next 30 days
EPSS score — higher than 51% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Vercel

References (3)

Patch https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d...
Patch https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cd...
Vendor Advisory https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9
49
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 18/34 · Moderate
Exposure 5/34 · Minimal