Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: next
- Introduced through: next@13.5.11
Detailed paths
-
Introduced through: setup-example-next@Loonz806/setup-example-next#d97080a73b446a98c4a802ac5cf9440a02ba7915 › next@13.5.11Remediation: Upgrade to next@14.2.32.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the resolve-routes. An attacker can access internal resources and potentially exfiltrate sensitive information by crafting requests containing user-controlled headers (e.g.,
Location) that are forwarded or interpreted without validation.
Note: This is only exploitable if custom middleware logic is implemented in a self-hosted deployment. The project maintainers recommend using the documented NextResponse.next({request}) to explicitly pass the request object.
Remediation
Upgrade next to version 14.2.32, 15.4.2-canary.43, 15.4.7 or higher.
References
high severity
- Vulnerable module: next
- Introduced through: next@13.5.11
Detailed paths
-
Introduced through: setup-example-next@Loonz806/setup-example-next#d97080a73b446a98c4a802ac5cf9440a02ba7915 › next@13.5.11Remediation: Upgrade to next@14.2.7.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Uncontrolled Recursion through the image optimization feature. An attacker can cause excessive CPU consumption by exploiting this vulnerability.
Workaround
Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.
Remediation
Upgrade next to version 14.2.7, 15.0.0-canary.109 or higher.
References
high severity
- Vulnerable module: next
- Introduced through: next@13.5.11
Detailed paths
-
Introduced through: setup-example-next@Loonz806/setup-example-next#d97080a73b446a98c4a802ac5cf9440a02ba7915 › next@13.5.11Remediation: Upgrade to next@14.1.1.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) through the Host header manipulation. An attacker can make unauthorized requests appearing to originate from the server.
Notes:
Prerequisites:
Next.js (<14.1.1) is running in a self-hosted manner.
The Next.js application makes use of Server Actions.
The Server Action performs a redirect to a relative path which starts with a
/.
Remediation
Upgrade next to version 14.1.1 or higher.
References
medium severity
- Vulnerable module: next
- Introduced through: next@13.5.11
Detailed paths
-
Introduced through: setup-example-next@Loonz806/setup-example-next#d97080a73b446a98c4a802ac5cf9440a02ba7915 › next@13.5.11Remediation: Upgrade to next@14.2.24.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Race Condition in the Pages Router. An attacker can cause the server to serve incorrect pageProps data instead of the expected HTML content by exploiting a race condition between two requests, one containing the ?__nextDataRequest=1 query parameter and another with the x-now-route-matches header.
Notes:
This is only exploitable if the CDN provider caches a
200 OKresponse even in the absence of explicitcache-controlheaders, enabling a poisoned response to persist and be served to subsequent users;No backend access or privileged escalation is possible through this vulnerability;
Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on
200 OKstatus without explicitcache-controlheaders.This is a bypass of the fix for CVE-2024-46982
Workaround
This can be mitigated by stripping the x-now-route-matches header from all incoming requests at your CDN and setting cache-control: no-store for all responses under risk.
Remediation
Upgrade next to version 14.2.24, 15.1.6 or higher.
References
medium severity
new
- Vulnerable module: next
- Introduced through: next@13.5.11
Detailed paths
-
Introduced through: setup-example-next@Loonz806/setup-example-next#d97080a73b446a98c4a802ac5cf9440a02ba7915 › next@13.5.11Remediation: Upgrade to next@14.2.31.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the image optimization process, when responses from API routes vary based on request headers such as Cookie or Authorization. An attacker can gain unauthorized access to sensitive image data by exploiting cache key confusion, causing responses intended for authenticated users to be served to unauthorized users.
Note: Exploitation requires a prior authorized request to populate the cache.
Remediation
Upgrade next to version 14.2.31, 15.4.2-canary.19, 15.4.5 or higher.
References
medium severity
- Vulnerable module: inflight
- Introduced through: react-query@3.39.3
Detailed paths
-
Introduced through: setup-example-next@Loonz806/setup-example-next#d97080a73b446a98c4a802ac5cf9440a02ba7915 › react-query@3.39.3 › broadcast-channel@3.7.0 › rimraf@3.0.2 › glob@7.2.3 › inflight@1.0.6
Overview
Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.
Exploiting this vulnerability results in crashing the node process or in the application crash.
Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.
To trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector” is marked as “Local”.
PoC
const inflight = require('inflight');
function testInflight() {
let i = 0;
function scheduleNext() {
let key = `key-${i++}`;
const callback = () => {
};
for (let j = 0; j < 1000000; j++) {
inflight(key, callback);
}
setImmediate(scheduleNext);
}
if (i % 100 === 0) {
console.log(process.memoryUsage());
}
scheduleNext();
}
testInflight();
Remediation
There is no fixed version for inflight.
References
low severity
- Vulnerable module: next
- Introduced through: next@13.5.11
Detailed paths
-
Introduced through: setup-example-next@Loonz806/setup-example-next#d97080a73b446a98c4a802ac5cf9440a02ba7915 › next@13.5.11Remediation: Upgrade to next@14.2.30.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets when running next dev and the project uses the App Router. An attacker can access the source code of client components by exploiting the Cross-site WebSocket hijacking (CSWSH) attack when a user visits a malicious link while having the server running locally.
Workarounds
Avoid browsing untrusted websites while running the local development server.
Implement local firewall or proxy rules to block unauthorized WebSocket access to localhost.
Remediation
Upgrade next to version 14.2.30, 15.2.2 or higher.
References
low severity
new
- Vulnerable module: next
- Introduced through: next@13.5.11
Detailed paths
-
Introduced through: setup-example-next@Loonz806/setup-example-next#d97080a73b446a98c4a802ac5cf9440a02ba7915 › next@13.5.11Remediation: Upgrade to next@14.2.31.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Missing Source Correlation of Multiple Independent Data in image-optimizer. An attacker can cause arbitrary files to be downloaded with attacker-controlled content and filenames by supplying malicious external image sources.
Note: This is only exploitable if the application is configured to allow external image sources via the images.domains or images.remotePatterns configuration.
Remediation
Upgrade next to version 14.2.31, 15.4.2-canary.19, 15.4.5 or higher.
References
low severity
new
- Vulnerable module: sirv
- Introduced through: @next/bundle-analyzer@13.5.11
Detailed paths
-
Introduced through: setup-example-next@Loonz806/setup-example-next#d97080a73b446a98c4a802ac5cf9440a02ba7915 › @next/bundle-analyzer@13.5.11 › webpack-bundle-analyzer@4.7.0 › sirv@1.0.19
Overview
sirv is a The optimized & lightweight middleware for serving requests to static assets
Affected versions of this package are vulnerable to Directory Traversal via the viaLocal function, which uses a dirname prefix. An attacker can access files outside the intended public directory by sending crafted requests that exploit symlinks and naming similarities, bypassing access restrictions.
Note: This is only exploitable if the server is explicitly exposed to the network using the --host flag or the server.host configuration option, the public directory feature is enabled, and there are symlinks in a public directory.
Details
A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.
Directory Traversal vulnerabilities can be generally divided into two types:
- Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.
st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.
If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.
curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
Note %2e is the URL encoded version of . (dot).
- Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as
Zip-Slip.
One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.
The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:
2018-04-15 22:04:29 ..... 19 19 good.txt
2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
Remediation
Upgrade sirv to version 3.0.2 or higher.