PT-2024-25807 · Next.Js · Next.Js
Elifoster-Block
·
Published
2024-05-09
·
Updated
2024-05-18
·
CVE-2024-34350
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Next.js versions prior to 13.5.1
Description
The issue arises from an inconsistent interpretation of crafted HTTP requests, leading to desynchronized responses and a response queue poisoning vulnerability. This occurs when the affected route utilizes the
rewrites feature in Next.js.Recommendations
For versions prior to 13.5.1, upgrade to Next.js version 13.5.1 or newer, which includes Next.js 14.x, to resolve the vulnerability. As a temporary workaround, consider avoiding the use of the
rewrites feature in Next.js until the issue is resolved.Exploit
Fix
HTTP Request/Response Smuggling
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Next.Js