CVE-2024-46982

Name of the Vulnerable Software and Affected Versions Next.js versions 13.5.1 through 14.2.9

Description The issue allows an attacker to poison the cache of a non-dynamic server-side rendered route in the pages router by sending a crafted HTTP request. This could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header, which some upstream CDNs may also cache. To be potentially affected, all of the following must apply: using Next.js between versions 13.5.1 and 14.2.9, using the pages router, and using non-dynamic server-side rendered routes.

Recommendations Next.js versions 13.5.1 through 14.2.9: Upgrade to version 13.5.7, 14.2.10, or later. As a temporary workaround, consider restricting access to non-dynamic server-side rendered routes until a patch is available. Avoid using the Cache-Control: s-maxage=1, stale-while-revalidate header in the affected API endpoint until the issue is resolved.