Improper Authorization
CVE-2024-51479
Summary
Next.js is a React framework for building full-stack web applications. In versions 9.5.5-canary.0 through 14.2.14 and 14.3.0-canary.0 through 15.0.0-canary.177, if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-285 - Improper Authorization
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
References
Advisory Timeline
- Published