FlagThis

A critical security flaw, identified as CVE-2024-51479, has been discovered in the popular React framework Next.js. This authorization bypass vulnerability affects versions 9.5.5 through 14.2.14, allowing attackers to potentially gain unauthorized access to pages located directly under the application's root directory. The vulnerability stems from how Next.js handles authorization checks in middleware based on pathname rules, specifically affecting routes such as https://example.com/foo while leaving routes like https://example.com/ or deeper nested routes like https://example.com/foo/bar unaffected.

The potential impact of this vulnerability is significant, given the widespread use of Next.js among developers. The severity is rated high with a CVSS score of 7.5 and the ease of exploitation makes it an attractive target for malicious actors. Developers are urged to immediately upgrade to version 14.2.15, which includes a patch for the issue. For applications hosted on Vercel, the vulnerability has already been automatically mitigated. No other workarounds have been officially released, making the update essential for preventing exploitation. The vulnerability was responsibly disclosed by security researcher Tyage from GMO Cybersecurity by IERAE.

ImgSrc: socradar.io

References:

• Cyber Security News - Next.js Authentication Bypass Vulnerability Impacts Millions of Developers - 7d
• GBHackers Security - Next.js Vulnerability Let Attackers Bypass Authentication - 7d
• Vulnerability Archives - CVE-2024-51479: Next.js Authorization Bypass Vulnerability Affects Millions of Developers - 7d
• SOCRadar - Critical Path Traversal in FortiWLM (CVE-2023-34990) Permits Code Execution; Next.js Auth Bypass (CVE-2024-51479) - 6d

Classification:

• HashTags: Nextjs Vulnerability AuthBypass
• Company: Next.js
• Target: Web applications using Next.js
• Product: Next.js
• Feature: Authorization Bypass
• Type: Vulnerability
• Severity: Major