CVE-2024-46982
published 2024-09-17CVE-2024-46982: Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic…
PriorityP278high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
60.62%
99.0th percentile
Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 13.5.1 < 13.5.7 | 13.5.7 |
| next | next | >= 14.0.0 < 14.2.10 | 14.2.10 |
| nuxt | nuxt | >= 3.0.0 < 3.16.0 | 3.16.0 |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | >= 13.5.1 < 13.5.7 | 13.5.7 |
| vercel | next.js | >= 14.0.0 < 14.2.10 | 14.2.10 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Next.js Cached Server Response (CVE-2024-46982)"; flow:established,to_client; flowbits:isset,ET.NextJS.CVE-2024-46982; http.header; to_lowercase; content:"cache-control|3a 20|s-maxage=1, stale-while-revalidate"; fast_pattern; reference:url,zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir; reference:cve,2024-46982; classtype:web-application-attack; sid:2059711; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_27, cve CVE_2024_46982, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:src_ip;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Next.js Forced Caching via x-now-route-matches HTTP Header (CVE-2024-46982)"; flow:established,to_server; flowbits:set,ET.NextJS.CVE-2024-46982; flowbits:noalert; http.header; content:"x-now-route-matches|3a 20|1"; fast_pattern; reference:url,zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir; reference:cve,2024-46982; classtype:web-application-attack; sid:2059710; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_27, cve CVE_2024_46982, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect exploit attempt: inbound HTTP requests containing the header 'x-now-route-matches: 1' targeting Next.js pages router routes — this is the cache-poisoning trigger header.
- →Detect poisoned cache response: outbound HTTP responses containing 'Cache-Control: s-maxage=1, stale-while-revalidate' from a Next.js server indicate a successfully poisoned cache entry.
- →Use Snort/Suricata flowbits correlation: sid:2059710 sets ET.NextJS.CVE-2024-46982 on the inbound request; sid:2059711 checks for that flowbit on the outbound response, enabling two-stage detection of the full exploit chain.
- →Scope detection to Next.js pages router only — non-dynamic SSR routes (e.g. pages/dashboard.tsx) are affected; dynamic routes (e.g. pages/blog/[slug].tsx) and the app router are NOT affected. ↗
- ·Snort rules are tagged for TLS-decrypted traffic (tls_state TLSDecrypt / deployment SSLDecrypt). Without TLS inspection, HTTPS traffic to/from Next.js servers will not be inspected by these signatures.
- ·The poisoned Cache-Control response header (s-maxage=1, stale-while-revalidate) may also be cached by upstream CDNs, extending the blast radius beyond the origin server. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Nuxt allows DOS via cache poisoning with payload rendering response
ghsa·2025-03-19·CVSS 7.5
CVE-2025-27415 [HIGH] CWE-349 Nuxt allows DOS via cache poisoning with payload rendering response
Nuxt allows DOS via cache poisoning with payload rendering response
### Summary
By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site.
It is possible to craft a request, such as `https://mysite.com/?/_payload.json` which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site.
### Impact
An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so
OSV
Nuxt allows DOS via cache poisoning with payload rendering response
osv·2025-03-19·CVSS 7.5
CVE-2025-27415 [HIGH] Nuxt allows DOS via cache poisoning with payload rendering response
Nuxt allows DOS via cache poisoning with payload rendering response
### Summary
By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site.
It is possible to craft a request, such as `https://mysite.com/?/_payload.json` which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site.
### Impact
An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so
OSV
Next.js Cache Poisoning
osv·2024-09-17
CVE-2024-46982 [HIGH] Next.js Cache Poisoning
Next.js Cache Poisoning
### Impact
By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well.
To be potentially affected all of the following must apply:
- Next.js between 13.5.1 and 14.2.9
- Using pages router
- Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`
The below configurations are unaffected:
- Deployments using only app router
- Deployments on [Vercel](https://vercel.com/) are not affected
###
GHSA
Next.js Cache Poisoning
ghsa·2024-09-17
CVE-2024-46982 [HIGH] CWE-349 Next.js Cache Poisoning
Next.js Cache Poisoning
### Impact
By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well.
To be potentially affected all of the following must apply:
- Next.js between 13.5.1 and 14.2.9
- Using pages router
- Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`
The below configurations are unaffected:
- Deployments using only app router
- Deployments on [Vercel](https://vercel.com/) are not affected
###
VulnCheck
vercel next.js Authorization Bypass Through User-Controlled Key
vulncheck·2024·CVSS 7.5
CVE-2024-46982 [HIGH] vercel next.js Authorization Bypass Through User-Controlled Key
vercel next.js Authorization Bypass Through User-Controlled Key
Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js
Suricata
ET WEB_SPECIFIC_APPS Next.js Cached Server Response (CVE-2024-46982)
suricata·2025-01-27·CVSS 7.5
CVE-2024-46982 [HIGH] ET WEB_SPECIFIC_APPS Next.js Cached Server Response (CVE-2024-46982)
ET WEB_SPECIFIC_APPS Next.js Cached Server Response (CVE-2024-46982)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Next.js Cached Server Response (CVE-2024-46982)"; flow:established,to_client; flowbits:isset,ET.NextJS.CVE-2024-46982; http.header; to_lowercase; content:"cache-control|3a 20|s-maxage=1, stale-while-revalidate"; fast_pattern; reference:url,zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir; reference:cve,2024-46982; classtype:web-application-attack; sid:2059711; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_27, cve CVE_2024_46982, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_27, mitr
Suricata
ET WEB_SPECIFIC_APPS Next.js Forced Caching via x-now-route-matches HTTP Header (CVE-2024-46982)
suricata·2025-01-27·CVSS 7.5
CVE-2024-46982 [HIGH] ET WEB_SPECIFIC_APPS Next.js Forced Caching via x-now-route-matches HTTP Header (CVE-2024-46982)
ET WEB_SPECIFIC_APPS Next.js Forced Caching via x-now-route-matches HTTP Header (CVE-2024-46982)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Next.js Forced Caching via x-now-route-matches HTTP Header (CVE-2024-46982)"; flow:established,to_server; flowbits:set,ET.NextJS.CVE-2024-46982; flowbits:noalert; http.header; content:"x-now-route-matches|3a 20|1"; fast_pattern; reference:url,zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir; reference:cve,2024-46982; classtype:web-application-attack; sid:2059710; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_27, cve CVE_2024_46982, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Explo
No public exploits indexed.
No writeups or analysis indexed.
2024-09-17
Published
Exploited in the wild