Skip to main content

Authorization Bypass Through User-Controlled Key

CVE-2024-46982

Severity High
Score 7.5/10

Summary

Next.js is a React framework for building full-stack web applications. Sending a crafted HTTP request can poison the cache of a non-dynamic server-side rendered route in the page's router (this does not affect the app router). When this crafted request is sent, it could coerce Next.js to cache a route that is not meant to be cached and send a "Cache-Control: s-maxage=1, stale-while-revalidate" header, which some upstream CDNs may cache as well. To be potentially affected, all of the following must apply: Next.js versions 13.5.1-canary.0 through 13.5.6, and 14.0.0 through 14.2.9, using the pages router, and using non-dynamic server-side rendered routes (e.g. "pages/dashboard.tsx," not "pages/blog/[slug].tsx"). We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue; we recommend that users patch to a safe version.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-639 - Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Advisory Timeline

  • Published