CVE-2024-51479
published 2024-12-17CVE-2024-51479: Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware…
PriorityP350high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
3.88%
88.9th percentile
Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 9.5.5 < 14.2.15 | 14.2.15 |
| vercel | next.js | — | — |
| vercel | next.js | >= 9.5.5 < 14.2.15 | 14.2.15 |
Detection & IOCsextracted from sources · hover to see the quote
- →Authorization bypass affects only pages directly under the application root (single path segment, e.g. /foo), NOT the root itself (/) or deeper paths (/foo/bar). Detection should focus on requests to single-segment paths that should be protected by middleware. ↗
- →The bypass is triggered by an incorrectly sanitized query parameter causing an invalid routing condition — monitor for anomalous or malformed query parameters on single-segment path requests to protected Next.js routes. ↗
- →Only self-hosted Next.js applications without i18n configuration are vulnerable. Applications on Vercel are automatically mitigated. Scope detection efforts to self-hosted deployments. ↗
- →Patch version is Next.js 14.2.15 — identify unpatched instances by checking the running Next.js version in server response headers (e.g., X-Powered-By) or package manifests for versions prior to 14.2.15. ↗
- ·Only Next.js applications performing authorization in middleware based on pathname are vulnerable. Applications not using path-based middleware authorization are unaffected. ↗
- ·Self-hosted Next.js applications missing i18n configuration are the affected population. Vercel-hosted applications are automatically mitigated regardless of Next.js version. ↗
- ·There are no official workarounds available for this vulnerability; patching to 14.2.15 or later is the only remediation. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Next.js authorization bypass vulnerability
ghsa·2024-12-17
CVE-2024-51479 [HIGH] CWE-285 Next.js authorization bypass vulnerability
Next.js authorization bypass vulnerability
### Impact
If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.
### Patches
This issue was patched in Next.js `14.2.15` and later.
If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.
### Workarounds
There are no official workarounds for this vulnerability.
#### Credits
We'd like to thank [tyage](http://github.com/tyage) (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.
OSV
Next.js authorization bypass vulnerability
osv·2024-12-17
CVE-2024-51479 [HIGH] Next.js authorization bypass vulnerability
Next.js authorization bypass vulnerability
### Impact
If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.
### Patches
This issue was patched in Next.js `14.2.15` and later.
If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.
### Workarounds
There are no official workarounds for this vulnerability.
#### Credits
We'd like to thank [tyage](http://github.com/tyage) (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.
Red Hat
next.js: next: authorization bypass in Next.js
vendor_redhat·2024-12-17·CVSS 7.5
CVE-2024-51479 [HIGH] CWE-285 next.js: next: authorization bypass in Next.js
next.js: next: authorization bypass in Next.js
Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.
A flaw was found in the Next.js framework. An incorrectly sanitized query p
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-17
Published