CVE-2024-56332

Name of the Vulnerable Software and Affected Versions Next.js versions 13.0.0 through 13.5.7 Next.js versions 14.0.0 through 14.2.20 Next.js versions 15.0.0 through 15.1.1

Description The issue is related to an unbounded resource allocation in Next.js, which can be exploited to cause a denial of service. This can allow a remote attacker to construct requests that leave Server Actions hanging until the hosting provider cancels the function execution. The vulnerability can also be used as a Denial of Wallet attack when deployed in providers billing by response times. Deployments without protection against long-running Server Action invocations are especially vulnerable. The issue affects only Next.js deployments using Server Actions.

Recommendations For Next.js versions 13.0.0 through 13.5.7, update to version 13.5.8 or later. For Next.js versions 14.0.0 through 14.2.20, update to version 14.2.21 or later. For Next.js versions 15.0.0 through 15.1.1, update to version 15.1.2 or later. As a temporary workaround, consider restricting access to Server Actions to minimize the risk of exploitation.