Next.js Vulnerability CVE-2024-46982: Cache Poisoning Exploit Threatens Deployments
In the fast-paced world of web development, security is a constant concern, especially for platforms that power high-traffic applications like Next.js. Recently, the Next.js team has disclosed a new vulnerability—CVE-2024-46982—which affects specific versions of the framework, leaving certain deployments exposed to cache poisoning attacks.
For the uninitiated, Next.js is a popular open-source framework that enables developers to create full-stack web applications with React, bolstered by cutting-edge Rust-based tooling for lightning-fast builds. Used by industry giants worldwide, the platform offers flexibility and performance, but like any powerful tool, it isn’t immune to security flaws.
CVE-2024-46982 (CVSS 7.5) is a cache poisoning vulnerability that threatens some Next.js deployments, specifically those using non-dynamic server-side rendered (SSR) routes within the pages router. When a crafted HTTP request is sent to a vulnerable server, it tricks the application into caching responses that should not be cached. This exploit can propagate to upstream Content Delivery Networks (CDNs), leading to potentially harmful consequences, such as serving poisoned content to users.
In technical terms, the vulnerability forces Next.js to cache certain routes with inappropriate cache headers like Cache-Control: s-maxage=1, stale-while-revalidate. This can result in CDNs caching these routes and serving them under unsafe conditions, introducing stale or poisoned data into the web application’s ecosystem.
The risk is specific and not all Next.js deployments are vulnerable. To be affected, all of the following conditions must apply:
- Next.js version: Between 13.5.1 and 14.2.9
- Router: Using the pages router
- Routes: Using non-dynamic server-side rendered routes (e.g.,
pages/dashboard.tsx, notpages/blog/[slug].tsx)
The following configurations are not affected:
- Deployments using only the app router
- Deployments on Vercel
The vulnerability has been addressed in Next.js versions 13.5.7, 14.2.12, and later. Upgrading to a patched version is strongly recommended, even if you haven’t experienced any issues. There are no official or recommended workarounds for this vulnerability. Patching to a safe version is the best course of action.
