next
修正版
9.5.6
14.2.15
CVE-2024-51479 affects Next.js applications that rely on pathname-based authorization within middleware. This vulnerability allows attackers to bypass these authorization checks, potentially leading to unauthorized access to protected resources. The issue is present in versions prior to Next.js 14.2.15, but has been automatically mitigated for applications hosted on Vercel regardless of Next.js version.
The core impact of CVE-2024-51479 lies in the ability to circumvent authorization logic. If a Next.js application uses middleware to restrict access to specific routes based on the pathname, an attacker can craft requests that bypass this check. This could allow them to access sensitive data, execute unauthorized actions, or even compromise the entire application. The blast radius depends heavily on the application's architecture and the sensitivity of the resources protected by the middleware. A successful exploit could lead to data breaches, privilege escalation, and denial of service.
CVE-2024-51479 was published on December 17, 2024. There is currently no indication of active exploitation in the wild. The vulnerability was responsibly disclosed by tyage (GMO CyberSecurity by IERAE). No KEV or EPSS score is currently available. Public proof-of-concept exploits are not widely available, but the potential for exploitation exists if authorization logic is improperly implemented.
エクスプロイト状況
EPSS
66.73% (99% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-51479 is to upgrade to Next.js version 14.2.15 or later. For applications hosted on Vercel, the vulnerability is automatically mitigated, so no action is required. Since official workarounds are not available, careful review of authorization logic is crucial. Ensure that authorization checks are robust and not solely reliant on pathname-based restrictions. Consider implementing multi-factor authentication and other security best practices to further protect your application.
Actualice Next.js a la versión 14.2.15 o superior. Si su aplicación Next.js está alojada en Vercel, la vulnerabilidad ya ha sido mitigada automáticamente. De lo contrario, actualice la versión de Next.js lo antes posible.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-51479 is a vulnerability in Next.js where attackers can bypass pathname-based authorization in middleware, potentially gaining unauthorized access to protected resources. It's rated HIGH severity (CVSS 7.5).
You are affected if you are using Next.js versions prior to 14.2.15 and your application relies on pathname-based authorization in middleware. Applications hosted on Vercel are automatically mitigated regardless of version.
Upgrade to Next.js version 14.2.15 or later. If hosted on Vercel, the vulnerability is automatically mitigated. Review and strengthen your authorization logic.
There is currently no indication of active exploitation in the wild, but the potential for exploitation exists.
Refer to the Next.js security advisory for detailed information: [https://github.com/vercel/next.js/security/advisories/GHSA-9x44-x444-x444](https://github.com/vercel/next.js/security/advisories/GHSA-9x44-x444-x444)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。