Skip to main content

Improper Authorization

CVE-2024-51479

Severity High
Score 7.5/10

Summary

Next.js is a React framework for building full-stack web applications. In versions 9.5.5-canary.0 through 14.2.14 and 14.3.0-canary.0 through 15.0.0-canary.177, if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-285 - Improper Authorization

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Advisory Timeline

  • Published