CVE - CVE-2024-46982

CVE-ID
CVE-2024-46982	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3 URL:https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3 MISC:https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda URL:https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda MISC:https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9 URL:https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20240916	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240916)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)