修复版本
13.5.2
14.0.1
13.5.7
CVE-2024-46982 describes a cache poisoning vulnerability in Next.js, specifically impacting routes utilizing the pages router. An attacker can craft a malicious HTTP request to coerce Next.js into caching a route that should not be cached, potentially leading to data exposure. This vulnerability affects versions 13.5.1 through 14.2.9 and has been addressed in version 13.5.7.
The core impact of CVE-2024-46982 lies in the potential for cache poisoning. By sending a carefully crafted HTTP request, an attacker can manipulate Next.js's caching mechanism for non-dynamic server-side rendered routes in the pages router. This can result in the caching of sensitive data or responses that should not be publicly accessible. If an upstream Content Delivery Network (CDN) respects the Cache-Control: s-maxage=1, stale-while-revalidate header, the poisoned cache can be distributed globally, significantly expanding the attack surface. The vulnerability does not affect the app router, limiting its scope but still posing a risk to applications relying on the pages router.
CVE-2024-46982 was publicly disclosed on September 17, 2024. While no active exploitation campaigns have been reported, the availability of a proof-of-concept could lead to opportunistic attacks. The vulnerability is not currently listed on the CISA KEV catalog. The relatively straightforward nature of the attack and the widespread use of Next.js warrant careful attention and prompt remediation.
Applications built with Next.js that utilize the pages router and rely on non-dynamic server-side rendered routes are at risk. This includes projects using older versions of Next.js (13.5.1 - 14.2.9) and those that have not implemented robust caching policies on their CDNs. Shared hosting environments using Next.js are also particularly vulnerable due to the potential for cross-tenant cache poisoning.
• nodejs / server:
# Check Next.js version
npm list next• nodejs / server:
# Review Next.js configuration files (next.config.js) for caching settings.
grep -r 'cache' next.config.js• generic web:
# Inspect HTTP response headers for Cache-Control: s-maxage
curl -I https://your-nextjs-app.com/dashboarddisclosure
漏洞利用状态
EPSS
49.06% (98% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-46982 is to upgrade to Next.js version 13.5.7 or later. This version includes a fix that prevents the cache poisoning vulnerability. If an immediate upgrade is not feasible, consider implementing stricter caching policies on your CDN to prevent caching of responses with the s-maxage header. Review your Next.js application's routing configuration to ensure that non-dynamic server-side rendered routes are properly configured and not susceptible to manipulation. After upgrading, verify the fix by sending a crafted HTTP request similar to the one described in the vulnerability report and confirming that the route is not cached as expected.
Actualice Next.js a la versión 13.5.7, 14.2.10 o superior. Esto corrige la vulnerabilidad de envenenamiento de caché en las rutas renderizadas del lado del servidor no dinámicas en el enrutador de páginas. La actualización es la solución recomendada, independientemente de si puede reproducir el problema.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-46982 is a vulnerability affecting Next.js versions 13.5.1 - 14.2.9 where a crafted HTTP request can poison the cache of non-dynamic routes, potentially exposing sensitive data.
You are affected if you are using Next.js versions 13.5.1 through 14.2.9 and utilizing the pages router with non-dynamic server-side rendered routes.
Upgrade to Next.js version 13.5.7 or later to remediate the vulnerability. Consider stricter CDN caching policies as an interim measure.
No active exploitation campaigns have been reported, but the vulnerability's ease of exploitation warrants prompt remediation.
Refer to the official Next.js security advisory: https://github.com/vercel/next.js/security/advisories/GHSA-7949-5343-4993
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。