CVE-2024-34350 – next

Package

Manager: npm
Name: next
Vulnerable Version: >=13.4.0 <13.5.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N

EPSS: 0.00473 pctl0.63768

Details

Next.js Vulnerable to HTTP Request Smuggling ### Impact Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) feature in Next.js. ### Patches The vulnerability is resolved in Next.js `13.5.1` and newer. This includes Next.js `14.x`. ### Workarounds There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version. ### References https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning

Metadata

Created: 2024-05-09T21:07:00Z
Modified: 2024-07-09T18:28:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-77r5-gw3j-2mpf/GHSA-77r5-gw3j-2mpf.json
CWE IDs: ["CWE-444"]
Alternative ID: GHSA-77r5-gw3j-2mpf
Finding: F110
Auto approve: 1