cbcvebase.
CVE-2024-51479
published 2024-12-17

CVE-2024-51479: Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware…

PriorityP350high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
3.88%
88.9th percentile
Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.

Affected

3 ranges
VendorProductVersion rangeFixed in
nextnext>= 9.5.5 < 14.2.1514.2.15
vercelnext.js
vercelnext.js>= 9.5.5 < 14.2.1514.2.15

Detection & IOCsextracted from sources · hover to see the quote

  • Authorization bypass affects only pages directly under the application root (single path segment, e.g. /foo), NOT the root itself (/) or deeper paths (/foo/bar). Detection should focus on requests to single-segment paths that should be protected by middleware.
  • The bypass is triggered by an incorrectly sanitized query parameter causing an invalid routing condition — monitor for anomalous or malformed query parameters on single-segment path requests to protected Next.js routes.
  • Only self-hosted Next.js applications without i18n configuration are vulnerable. Applications on Vercel are automatically mitigated. Scope detection efforts to self-hosted deployments.
  • Patch version is Next.js 14.2.15 — identify unpatched instances by checking the running Next.js version in server response headers (e.g., X-Powered-By) or package manifests for versions prior to 14.2.15.
  • ·Only Next.js applications performing authorization in middleware based on pathname are vulnerable. Applications not using path-based middleware authorization are unaffected.
  • ·Self-hosted Next.js applications missing i18n configuration are the affected population. Vercel-hosted applications are automatically mitigated regardless of Next.js version.
  • ·There are no official workarounds available for this vulnerability; patching to 14.2.15 or later is the only remediation.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.