Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03N3I1LWd3M2otMm1wZs4AA74O
Next.js Vulnerable to HTTP Request Smuggling
Impact
Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.
For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.
Patches
The vulnerability is resolved in Next.js 13.5.1
and newer. This includes Next.js 14.x
.
Workarounds
There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.
References
https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning
Permalink: https://github.com/advisories/GHSA-77r5-gw3j-2mpfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03N3I1LWd3M2otMm1wZs4AA74O
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 days ago
Updated: 6 days ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-77r5-gw3j-2mpf, CVE-2024-34350
References:
- https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf
- https://github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5
- https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1
- https://nvd.nist.gov/vuln/detail/CVE-2024-34350
- https://github.com/advisories/GHSA-77r5-gw3j-2mpf
Blast Radius: 41.5
Affected Packages
npm:next
Dependent packages: 8,463Dependent repositories: 345,645
Downloads: 26,705,089 last month
Affected Version Ranges: >= 13.4.0, < 13.5.1
Fixed in: 13.5.1
All affected versions: 13.4.0, 13.4.1, 13.4.2, 13.4.3, 13.4.4, 13.4.5, 13.4.6, 13.4.7, 13.4.8, 13.4.9, 13.4.10, 13.4.11, 13.4.12, 13.4.13, 13.4.15, 13.4.16, 13.4.17, 13.4.18, 13.4.19, 13.5.0
All unaffected versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.9.9, 0.9.10, 0.9.11, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 5.0.0, 5.1.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.1.0, 6.1.1, 6.1.2, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 10.0.8, 10.0.9, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.5, 12.0.6, 12.0.7, 12.0.8, 12.0.9, 12.0.10, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 13.0.5, 13.0.6, 13.0.7, 13.1.0, 13.1.1, 13.1.2, 13.1.3, 13.1.4, 13.1.5, 13.1.6, 13.2.0, 13.2.1, 13.2.2, 13.2.3, 13.2.4, 13.3.0, 13.3.1, 13.3.2, 13.3.3, 13.3.4, 13.5.1, 13.5.2, 13.5.3, 13.5.4, 13.5.5, 13.5.6, 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 14.2.0, 14.2.1, 14.2.2, 14.2.3