CVE-2024-56332
published 2025-01-03CVE-2024-56332: Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.79%
51.8th percentile
Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 13.0.0 < 13.5.8 | 13.5.8 |
| next | next | >= 14.0.0 < 14.2.21 | 14.2.21 |
| next | next | >= 15.0.0 < 15.1.2 | 15.1.2 |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | >= 13.0.0 < 13.5.8 | 13.5.8 |
| vercel | next.js | >= 14.0.0 < 14.2.21 | 14.2.21 |
| vercel | next.js | >= 15.0.0 < 15.1.2 | 15.1.2 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Next.js Allows a Denial of Service (DoS) with Server Actions
ghsa·2025-01-03
CVE-2024-56332 [MEDIUM] CWE-770 Next.js Allows a Denial of Service (DoS) with Server Actions
Next.js Allows a Denial of Service (DoS) with Server Actions
### Impact
A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.
_Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time._
Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.
This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this
OSV
Next.js Allows a Denial of Service (DoS) with Server Actions
osv·2025-01-03
CVE-2024-56332 [MEDIUM] Next.js Allows a Denial of Service (DoS) with Server Actions
Next.js Allows a Denial of Service (DoS) with Server Actions
### Impact
A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.
_Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time._
Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.
This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this
Red Hat
next.js: Next.js Vulnerable to Denial of Service (DoS) with Server Actions
vendor_redhat·2025-01-03·CVSS 5.3
CVE-2024-56332 [MEDIUM] CWE-770 next.js: Next.js Vulnerable to Denial of Service (DoS) with Server Actions
next.js: Next.js Vulnerable to Denial of Service (DoS) with Server Actions
Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerabl
No detection rules found.
No public exploits indexed.
2025-01-03
Published