Scan free
HIGHCVE-2024-46982CVSS 7.5

CVE-2024-46982: Cache Poisoning in Next.js Pages Router

Platform

nodejs

Component

next

Fixed in

13.5.2

14.0.1

13.5.7

AI Confidence: highNVDEPSS 49.1%Reviewed: May 2026
View on NVD
Save

CVE-2024-46982 describes a cache poisoning vulnerability in Next.js, specifically impacting routes utilizing the pages router. An attacker can craft a malicious HTTP request to coerce Next.js into caching a route that should not be cached, potentially leading to data exposure. This vulnerability affects versions 13.5.1 through 14.2.9 and has been addressed in version 13.5.7.

Impact and Attack Scenarios

The core impact of CVE-2024-46982 lies in the potential for cache poisoning. By sending a carefully crafted HTTP request, an attacker can manipulate Next.js's caching mechanism for non-dynamic server-side rendered routes in the pages router. This can result in the caching of sensitive data or responses that should not be publicly accessible. If an upstream Content Delivery Network (CDN) respects the Cache-Control: s-maxage=1, stale-while-revalidate header, the poisoned cache can be distributed globally, significantly expanding the attack surface. The vulnerability does not affect the app router, limiting its scope but still posing a risk to applications relying on the pages router.

Exploitation Context

CVE-2024-46982 was publicly disclosed on September 17, 2024. While no active exploitation campaigns have been reported, the availability of a proof-of-concept could lead to opportunistic attacks. The vulnerability is not currently listed on the CISA KEV catalog. The relatively straightforward nature of the attack and the widespread use of Next.js warrant careful attention and prompt remediation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
NextGuard67% still vulnerable

EPSS

49.06% (98% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentnext
Vendorosv
Affected rangeFixed in
>= 13.5.1, < 13.5.7 – >= 13.5.1, < 13.5.713.5.2
>= 14.0.0, < 14.2.10 – >= 14.0.0, < 14.2.1014.0.1
13.5.113.5.7

Package Information

Last updated
16.2.6recently

Weakness Classification (CWE)

CWE-639

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Patched 1 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2024-46982 is to upgrade to Next.js version 13.5.7 or later. This version includes a fix that prevents the cache poisoning vulnerability. If an immediate upgrade is not feasible, consider implementing stricter caching policies on your CDN to prevent caching of responses with the s-maxage header. Review your Next.js application's routing configuration to ensure that non-dynamic server-side rendered routes are properly configured and not susceptible to manipulation. After upgrading, verify the fix by sending a crafted HTTP request similar to the one described in the vulnerability report and confirming that the route is not cached as expected.

How to fix

Update Next.js to version 13.5.7, 14.2.10, or higher. This corrects the cache poisoning vulnerability in non-dynamic server-side rendered routes in the pages router. The update is the recommended solution, regardless of whether you can reproduce the issue.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-46982 — Cache Poisoning in Next.js?

CVE-2024-46982 is a vulnerability affecting Next.js versions 13.5.1 - 14.2.9 where a crafted HTTP request can poison the cache of non-dynamic routes, potentially exposing sensitive data.

Am I affected by CVE-2024-46982 in Next.js?

You are affected if you are using Next.js versions 13.5.1 through 14.2.9 and utilizing the pages router with non-dynamic server-side rendered routes.

How do I fix CVE-2024-46982 in Next.js?

Upgrade to Next.js version 13.5.7 or later to remediate the vulnerability. Consider stricter CDN caching policies as an interim measure.

Is CVE-2024-46982 being actively exploited?

No active exploitation campaigns have been reported, but the vulnerability's ease of exploitation warrants prompt remediation.

Where can I find the official Next.js advisory for CVE-2024-46982?

Refer to the official Next.js security advisory: https://github.com/vercel/next.js/security/advisories/GHSA-7949-5343-4993

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs