The popular React framework, Next.js, has addressed a security vulnerability that could have allowed attackers to launch denial-of-service (DoS) attacks against applications using Server Actions. The vulnerability, tracked as CVE-2024-56332, was responsibly disclosed by the PackDraw team.
Next.js, known for its performance and developer-friendly features, is used by many high-traffic websites and applications. Server Actions, a relatively new feature, enable server-side data fetching and mutations, enhancing application performance and security. However, this vulnerability could have allowed malicious actors to exploit Server Actions to disrupt service availability.
How the Vulnerability Worked
The security advisory explains the vulnerability as follows: “A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.”
Essentially, attackers could craft requests that would keep Server Actions running indefinitely, tying up server resources and preventing legitimate users from accessing the application. While the Next.js server itself remained idle during the attack, the open connections could have overwhelmed the server, leading to a denial of service.
Impact and Mitigation
The CVE-2024-56332 vulnerability affected Next.js deployments using Server Actions, particularly those without protection against long-running function executions. Hosting providers like Vercel and Netlify typically have default safeguards in place to mitigate such risks, but deployments on other platforms might have been more vulnerable.
The Next.js team has released patched versions to address this vulnerability. Users are strongly advised to upgrade to the latest versions of Next.js 14 (v14.2.21), Next.js 15 (v15.1.2), or Next.js 13 (v13.5.8) to ensure their applications are protected.
No Workarounds Available
The security advisory states that “there are no official workarounds for this vulnerability,” emphasizing the importance of upgrading to a patched version.
Related Posts:
- js Vulnerability CVE-2024-46982: Cache Poisoning Exploit Threatens Deployments
- CVE-2024-51479: Next.js Authorization Bypass Vulnerability Affects Millions of Developers
- CVE-2024-34350 & CVE-2024-34351: Two Vulnerabilities Patched in Popular Next.js Framework
- SSH Security Breach: Researchers Discover Vulnerability in Crypto Keys
