Platform
nodejs
Component
next
Fixed in
13.0.1
14.0.1
15.0.1
13.5.8
CVE-2024-56332 describes a Denial of Service (DoS) vulnerability within Next.js Server Actions. Attackers can craft requests that cause Server Actions to remain in a pending state, consuming resources until the hosting provider terminates the function execution. This vulnerability impacts versions prior to 13.5.8, and a patch has been released to address the issue.
The primary impact of CVE-2024-56332 is a denial of service. An attacker can repeatedly trigger Server Actions with requests designed to hang indefinitely, effectively preventing legitimate users from accessing those actions. While the Next.js server itself has a low CPU and memory footprint during this hanging state, the prolonged connection can still exhaust hosting provider resources and lead to service disruption. This is analogous to a resource exhaustion attack, where the attacker aims to overwhelm the system's capacity to handle requests. Deployments without protection against long-running Server Action invocations are particularly vulnerable, as hosting providers often impose limits on function execution duration to prevent excessive billing and abuse.
CVE-2024-56332 was publicly disclosed on January 3, 2025. There are currently no known public proof-of-concept exploits available. The vulnerability's impact is primarily related to resource exhaustion, and its probability of exploitation is considered medium, given the potential for attackers to craft malicious requests. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.34% (57% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2024-56332 is to upgrade to Next.js version 13.5.8 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing rate limiting or request timeouts on Server Actions to prevent malicious actors from triggering excessive or prolonged requests. Additionally, review your hosting provider's documentation regarding function execution limits and ensure your deployments are configured to adhere to those limits. Monitoring Server Action execution times can also help identify and mitigate potential DoS attacks.
Update Next.js to version 13.5.8, 14.2.21, or 15.1.2, or a later version. This corrects the denial of service vulnerability in Server Actions. If you cannot update immediately, consider implementing protections against long-running Server Action invocations, such as setting a maximum execution time.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-56332 is a Denial of Service vulnerability in Next.js Server Actions, allowing attackers to hang requests and potentially exhaust hosting provider resources.
You are affected if you are using Next.js versions prior to 13.5.8 and are utilizing Server Actions.
Upgrade to Next.js version 13.5.8 or later to resolve this vulnerability. Consider implementing rate limiting and request timeouts as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's potential impact warrants prompt mitigation.
Refer to the official Next.js security advisory for detailed information and updates: [https://github.com/vercel/next.js/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL when available)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.