CVE-2024-51479

high-risk

Published 2024-12-17

Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.

Do I need to act?

66.7% chance of exploitation in next 30 days

EPSS score — higher than 33% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Next.Js

Affected Vendors

Vercel

References (2)

Release Notes https://github.com/vercel/next.js/releases/tag/v14.2.15

Vendor Advisory https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f

/ 100

high-risk

Severity 26/34 · High

Exploitability 19/34 · Moderate

Exposure 5/34 · Minimal