Overview
Next.js is a popular open-source React framework that simplifies the development of server-rendered, static, and dynamic web applications by providing built-in features like routing, code splitting, and API routes.
If a Next.js application is performing authorization in middleware based on pathname, it is possible for this authorization to be bypassed.
Authorization Bypass is a security vulnerability where an attacker circumvents access controls to gain unauthorized access to resources or functionality in a system. It occurs when an application fails to properly enforce permissions, allowing users to access data or perform actions they shouldn’t. This type of flaw often stems from improper authorization checks, like relying on easily manipulated inputs such as pathnames.
Ramifications of Authorization Bypass:
- Sensitive information (e.g., user data, financial records) could be accessed by unauthorized parties.
- Attackers might gain higher-level permissions, such as admin access, to manipulate the system.
- Malicious users could perform restricted operations, like deleting files or modifying settings.
- Bypassing controls might allow attackers to install malware or exploit further vulnerabilities.
- Breaches resulting from the bypass could erode trust in the application or organization.
Details
Module Info
Product: Next.js
Affected packages: Next.js
Affected versions: <=14.2.14
GitHub Repo: https://github.com/vercel/next.js
Published packages: Next.js
Package manager: npm
Vulnerability Info
The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.
Addressing the Issue
Users of the affected components should apply one of the following mitigations:
- Upgrade to a version of the framework that isn’t susceptible to the exploit.
- Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this software.