ghsa-77r5-gw3j-2mpf
Vulnerability from github
Published
2024-05-09 21:07
Modified
2024-07-09 18:28
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Summary
Next.js Vulnerable to HTTP Request Smuggling
Details

Impact

Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.

For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.

Patches

The vulnerability is resolved in Next.js 13.5.1 and newer. This includes Next.js 14.x.

Workarounds

There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.

References

https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.4.0"
            },
            {
              "fixed": "13.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-09T21:07:00Z",
    "nvd_published_at": "2024-05-14T15:38:41Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nInconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.\n\nFor a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) feature in Next.js.\n\n### Patches\nThe vulnerability is resolved in Next.js `13.5.1` and newer. This includes Next.js `14.x`.\n\n### Workarounds\nThere are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.\n\n### References\nhttps://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning",
  "id": "GHSA-77r5-gw3j-2mpf",
  "modified": "2024-07-09T18:28:18Z",
  "published": "2024-05-09T21:07:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34350"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Next.js Vulnerable to HTTP Request Smuggling"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.