Next.js Vulnerable to HTTP Request Smuggling

GHSA-77r5-gw3j-2mpf · CVE-2024-34350

Published May 9, 2024 · Modified Jul 9, 2024

Description

Impact

Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.

For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.

Patches

The vulnerability is resolved in Next.js 13.5.1 and newer. This includes Next.js 14.x.

Workarounds

There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.

References

https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning

References

WEB https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-34350
WEB https://github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5
PACKAGE https://github.com/vercel/next.js
WEB https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes