CVE-2024-51479

Authorization Bypass
Affects
Next.js
<=14.2.14
in
Next.js
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Next.js is a popular open-source React framework that simplifies the development of server-rendered, static, and dynamic web applications by providing built-in features like routing, code splitting, and API routes. 

If a Next.js application is performing authorization in middleware based on pathname, it is possible for this authorization to be bypassed.

Authorization Bypass is a security vulnerability where an attacker circumvents access controls to gain unauthorized access to resources or functionality in a system. It occurs when an application fails to properly enforce permissions, allowing users to access data or perform actions they shouldn’t. This type of flaw often stems from improper authorization checks, like relying on easily manipulated inputs such as pathnames.

Ramifications of Authorization Bypass:

  • Sensitive information (e.g., user data, financial records) could be accessed by unauthorized parties.
  • Attackers might gain higher-level permissions, such as admin access, to manipulate the system.
  • Malicious users could perform restricted operations, like deleting files or modifying settings.
  • Bypassing controls might allow attackers to install malware or exploit further vulnerabilities.
  • Breaches resulting from the bypass could erode trust in the application or organization.

Details

Module Info

Product: Next.js

Affected packages: Next.js

Affected versions: <=14.2.14

GitHub Repo: https://github.com/vercel/next.js

Published packages: Next.js

Package manager: npm

Vulnerability Info

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Addressing the Issue

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a version of the framework that isn’t susceptible to the exploit.
  • Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this software.

Credit(s)

Vulnerability Details
ID
CVE-2024-51479
PROJECT Affected
Next.js
Versions Affected
<=14.2.14
Published date
December 17, 2024
≈ Fix date
December 17, 2024
Fixed in
Severity
High
Category
Authorization Bypass
Sign up for the latest vulnerability alerts fixed in
Next.js NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.