GHSA-77r5-gw3j-2mpf: Next.js Vulnerable to HTTP Request Smuggling

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2024-34350

Next.js Vulnerable to HTTP Request Smuggling

High severity GitHub Reviewed Published May 9, 2024 in vercel/next.js • Updated May 9, 2024

Vulnerability details Dependabot alerts 0

Package

npm next (npm)

Affected versions

>= 13.4.0, < 13.5.1

Patched versions

13.5.1

Description

Impact

Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.

For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.

Patches

The vulnerability is resolved in Next.js 13.5.1 and newer. This includes Next.js 14.x.

Workarounds

There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.

References

https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning

References

• GHSA-77r5-gw3j-2mpf
• vercel/next.js@44eba02
• vercel/[email protected]…v13.5.1

jackwilson323 published to vercel/next.js

May 9, 2024

Published to the GitHub Advisory Database

May 9, 2024

Reviewed

May 9, 2024

Last updated

May 9, 2024

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Weaknesses

CWE-444

CVE ID

CVE-2024-34350

GHSA ID

GHSA-77r5-gw3j-2mpf

Source code

vercel/next.js

Credits

• elifoster-block Finder

Checking history

See something to contribute? Suggest improvements for this vulnerability.