CVE-2024-51479: Next.js Authorization Bypass Vulnerability Affects Millions of Developers

by do son ·

CVE-2024-51479

A recently disclosed security vulnerability in Next.js, a popular React framework used by millions of developers worldwide, could have allowed unauthorized access to sensitive application data.

The vulnerability, tracked as CVE-2024-51479 and assigned a CVSS score of 7.5, was discovered by tyage from GMO Cybersecurity by IERAE. It affects Next.js versions 9.5.5 through 14.2.14.

The vulnerability stemmed from an authorization bypass issue in Next.js middleware. As described in the security advisory, “If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application’s root directory.”

Essentially, this means that attackers could potentially gain unauthorized access to pages located at the root level of a vulnerable Next.js application, even if those pages were supposed to be protected by authorization checks.

The impact of this vulnerability is significant, considering the widespread use of Next.js. Many high-profile companies and organizations rely on Next.js for their web applications, potentially exposing sensitive user data and business information.

Fortunately, the Next.js team has addressed the CVE-2024-51479 vulnerability in version 14.2.15 and later. Developers are strongly urged to update their Next.js applications to the latest version immediately.

For those using Vercel, the platform that created Next.js, the vulnerability has been automatically mitigated regardless of the Next.js version. This provides an additional layer of security for applications hosted on Vercel.

The Next.js team acknowledged tyage for responsibly disclosing the vulnerability, allowing them to address the issue and release a patch before it could be exploited in the wild.

Related Posts:

Buy Me A Coffee

Tags: Authorization Bypass VulnerabilityCVE-2024-51479Next.js