A critical vulnerability, identified as CVE-2024-46982, has been discovered in the popular Next.js framework, widely used for building full-stack web applications.
This flaw exposes websites to cache poisoning and stored cross-site scripting (XSS) attacks, posing significant risks to both user data and application availability.
The vulnerability has a CVSS score of 7.5 (High), reflecting its ease of exploitation and potential for widespread damage.
This vulnerability has already been exploited in bug bounty programs, with researchers reporting high-severity impacts across sectors like e-commerce, cryptocurrency platforms, and financial services.
In one instance, a stored XSS attack allowed an attacker to extract sensitive user data from a major platform.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Critical Next.js Framework Vulnerability
CVE-2024-46982 affects Next.js versions between 13.5.1 and 14.2.9 when using the pages router with non-dynamic server-side rendered (SSR) routes.
The vulnerability allows attackers to manipulate caching mechanisms by sending specially crafted HTTP requests.
This can trick the application into caching dynamic content that should not be cached, introducing the potential for malicious payloads to be served to unsuspecting users.
Rachid Allam, a web vulnerability researcher, states that the issue arises from how Next.js handles getServerSideProps and getStaticProps, two core functions for SSR and static site generation (SSG), respectively.
By exploiting certain headers (e.g., x-now-route-matches) or internal URL parameters (__nextDataReq), attackers can bypass cache-control rules and poison the cache with harmful responses.
Exploitation Techniques
Cache Poisoning for Denial of Service (DoS):
Attackers can alter the content of endpoints by injecting a crafted JSON object (pageProps) into the cache.
When users access the affected endpoint, they are served this poisoned content instead of the intended page, disrupting website availability.
Stored XSS via Cache Poisoning:
By leveraging reflected user inputs (e.g., user-agent strings or cookies) in SSR responses, attackers can inject malicious scripts into the cache.
Once cached, these scripts execute whenever users visit the affected endpoint, enabling attackers to steal sensitive data or perform account takeovers.
Cache Deception Attacks:
Attackers exploit the stale-while-revalidate directive in cache-control headers to force caches to serve stale or poisoned responses during revalidation periods.
The Next.js team has addressed CVE-2024-46982 in versions 13.5.7 and 14.2.10. Developers are strongly advised to upgrade their applications immediately to these patched versions or later.
This vulnerability does not impact deployments using only the app router or hosted on Vercel due to stricter default configurations.
This flaw underscores the importance of robust security practices in web development, especially when dealing with caching mechanisms and dynamic content rendering.
Website administrators must act swiftly by applying patches and reviewing their caching policies to safeguard against these sophisticated attacks that threaten both data confidentiality and service availability.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar