cbcvebase.
CVE-2024-46982
published 2024-09-17

CVE-2024-46982: Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic…

PriorityP278high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
60.62%
99.0th percentile
Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Affected

7 ranges
VendorProductVersion rangeFixed in
nextnext>= 13.5.1 < 13.5.713.5.7
nextnext>= 14.0.0 < 14.2.1014.2.10
nuxtnuxt>= 3.0.0 < 3.16.03.16.0
vercelnext.js
vercelnext.js
vercelnext.js>= 13.5.1 < 13.5.713.5.7
vercelnext.js>= 14.0.0 < 14.2.1014.2.10

Detection & IOCsextracted from sources · hover to see the quote

snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Next.js Cached Server Response (CVE-2024-46982)"; flow:established,to_client; flowbits:isset,ET.NextJS.CVE-2024-46982; http.header; to_lowercase; content:"cache-control|3a 20|s-maxage=1, stale-while-revalidate"; fast_pattern; reference:url,zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir; reference:cve,2024-46982; classtype:web-application-attack; sid:2059711; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_27, cve CVE_2024_46982, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:src_ip;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Next.js Forced Caching via x-now-route-matches HTTP Header (CVE-2024-46982)"; flow:established,to_server; flowbits:set,ET.NextJS.CVE-2024-46982; flowbits:noalert; http.header; content:"x-now-route-matches|3a 20|1"; fast_pattern; reference:url,zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir; reference:cve,2024-46982; classtype:web-application-attack; sid:2059710; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_27, cve CVE_2024_46982, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect exploit attempt: inbound HTTP requests containing the header 'x-now-route-matches: 1' targeting Next.js pages router routes — this is the cache-poisoning trigger header.
  • Detect poisoned cache response: outbound HTTP responses containing 'Cache-Control: s-maxage=1, stale-while-revalidate' from a Next.js server indicate a successfully poisoned cache entry.
  • Use Snort/Suricata flowbits correlation: sid:2059710 sets ET.NextJS.CVE-2024-46982 on the inbound request; sid:2059711 checks for that flowbit on the outbound response, enabling two-stage detection of the full exploit chain.
  • Scope detection to Next.js pages router only — non-dynamic SSR routes (e.g. pages/dashboard.tsx) are affected; dynamic routes (e.g. pages/blog/[slug].tsx) and the app router are NOT affected.
  • ·Snort rules are tagged for TLS-decrypted traffic (tls_state TLSDecrypt / deployment SSLDecrypt). Without TLS inspection, HTTPS traffic to/from Next.js servers will not be inspected by these signatures.
  • ·The poisoned Cache-Control response header (s-maxage=1, stale-while-revalidate) may also be cached by upstream CDNs, extending the blast radius beyond the origin server.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.