Authorization Bypass Through User-Controlled Key
CVE-2024-46982
Summary
Next.js is a React framework for building full-stack web applications. Sending a crafted HTTP request can poison the cache of a non-dynamic server-side rendered route in the page's router (this does not affect the app router). When this crafted request is sent, it could coerce Next.js to cache a route that is not meant to be cached and send a "Cache-Control: s-maxage=1, stale-while-revalidate" header, which some upstream CDNs may cache as well. To be potentially affected, all of the following must apply: Next.js versions 13.5.1-canary.0 through 13.5.6, and 14.0.0 through 14.2.9, using the pages router, and using non-dynamic server-side rendered routes (e.g. "pages/dashboard.tsx," not "pages/blog/[slug].tsx"). We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue; we recommend that users patch to a safe version.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-639 - Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
References
Advisory Timeline
- Published