CVE-2024-34350

Next.js Vulnerable to HTTP Request Smuggling

CVSS 7.5 HIGHEPSS 1.0%CWE-444

In short

Next.js versions before 13.5.1 can misinterpret specially crafted HTTP requests, causing them to be processed as both a single request and two separate requests simultaneously. This allows attackers to poison the response queue and send unintended responses to other users, especially when the rewrites feature is enabled.

Technical detail

HTTP request smuggling vulnerability in Next.js <13.5.1 arising from inconsistent HTTP request parsing (CWE-444). The attack vector requires a crafted HTTP request to a route using the rewrites feature; the inconsistent interpretation causes desynchronization between Next.js's request parsing and downstream processing, enabling response queue poisoning where responses intended for one client may be delivered to another.

Summary generated and translated by AI from the official description.

Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) feature in Next.js. The vulnerability is resolved in Next.js `13.5.1` and newer.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

vercel · next.js

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf