13.3.2
13.5.0
CVE-2024-39693 describes a Denial of Service (DoS) vulnerability discovered in Next.js. Successful exploitation can lead to a server crash, resulting in a loss of service availability. This vulnerability impacts all Next.js deployments running versions before 13.5.0. A patch is available in Next.js 13.5.0 and later.
The primary impact of CVE-2024-39693 is a Denial of Service. An attacker can exploit this vulnerability to cause the Next.js server to crash, rendering the application unavailable to legitimate users. This can disrupt business operations, impact user experience, and potentially lead to financial losses. The vulnerability's broad impact extends to all Next.js deployments on affected versions, making it a widespread concern for developers and organizations relying on the framework. While the description doesn't detail a specific attack vector, the ability to trigger a crash suggests a potential for resource exhaustion or malformed input that overwhelms the server.
CVE-2024-39693 was publicly disclosed on July 10, 2024. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. The discovery was credited to Thai Vu of flyseccorp.com and Aonan Guan.
Exploit Status
EPSS
0.51% (67% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2024-39693 is to upgrade to Next.js version 13.5.0 or later, which includes the fix. Unfortunately, there are no official workarounds available for this vulnerability. Prior to upgrading, consider testing the new version in a staging environment to ensure compatibility with existing applications and dependencies. After upgrading, confirm the fix by attempting to reproduce the DoS condition with known attack vectors (if available) or by monitoring server stability under load.
Update Next.js to version 13.5.0 or higher. This will resolve the denial of service vulnerability. You can update using npm or yarn.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-39693 is a Denial of Service vulnerability in Next.js that can cause the server to crash, impacting availability. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using Next.js versions prior to 13.5.0. All Next.js deployments on these versions are potentially vulnerable.
Upgrade to Next.js version 13.5.0 or later to resolve the vulnerability. There are no official workarounds available.
There is currently no evidence of active exploitation in the wild or publicly available proof-of-concept exploits.
Refer to the Next.js security advisory for detailed information and updates: [https://github.com/vercel/next.js/security/advisories/CVE-2024-39693](https://github.com/vercel/next.js/security/advisories/CVE-2024-39693)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.