平台
nodejs
组件
next
修复版本
13.0.1
14.0.1
15.0.1
13.5.8
CVE-2024-56332 describes a Denial of Service (DoS) vulnerability within Next.js Server Actions. Attackers can craft requests that cause Server Actions to remain in a pending state, consuming resources until the hosting provider terminates the function execution. This vulnerability impacts versions prior to 13.5.8, and a patch has been released to address the issue.
The primary impact of CVE-2024-56332 is a denial of service. An attacker can repeatedly trigger Server Actions with requests designed to hang indefinitely, effectively preventing legitimate users from accessing those actions. While the Next.js server itself has a low CPU and memory footprint during this hanging state, the prolonged connection can still exhaust hosting provider resources and lead to service disruption. This is analogous to a resource exhaustion attack, where the attacker aims to overwhelm the system's capacity to handle requests. Deployments without protection against long-running Server Action invocations are particularly vulnerable, as hosting providers often impose limits on function execution duration to prevent excessive billing and abuse.
CVE-2024-56332 was publicly disclosed on January 3, 2025. There are currently no known public proof-of-concept exploits available. The vulnerability's impact is primarily related to resource exhaustion, and its probability of exploitation is considered medium, given the potential for attackers to craft malicious requests. It is not currently listed on the CISA KEV catalog.
Applications utilizing Next.js Server Actions, particularly those deployed on shared hosting platforms like Vercel or Netlify, are at increased risk. Organizations relying on Server Actions for critical functionality or those with inadequate monitoring and alerting mechanisms are also more vulnerable.
• nodejs / server: Monitor Server Action execution times using application performance monitoring (APM) tools. Set alerts for actions exceeding a predefined threshold.
# Example: Using Node.js built-in process.hrtime to measure execution time
const start = process.hrtime();
// ... Server Action logic ...
const end = process.hrtime(start);
const executionTimeInSeconds = end[0] + end[1] / 1e9;
if (executionTimeInSeconds > 5) {
console.warn('Server Action exceeded timeout');
}• nodejs / server: Review application logs for unusual patterns of Server Action invocations, such as a high volume of requests from a single IP address or user. • nodejs / server: Implement rate limiting on Server Actions to restrict the number of requests from a single source within a given timeframe.
disclosure
漏洞利用状态
EPSS
0.34% (57% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation for CVE-2024-56332 is to upgrade to Next.js version 13.5.8 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing rate limiting or request timeouts on Server Actions to prevent malicious actors from triggering excessive or prolonged requests. Additionally, review your hosting provider's documentation regarding function execution limits and ensure your deployments are configured to adhere to those limits. Monitoring Server Action execution times can also help identify and mitigate potential DoS attacks.
Actualice Next.js a la versión 13.5.8, 14.2.21 o 15.1.2, o a una versión posterior. Esto corrige la vulnerabilidad de denegación de servicio en Server Actions. Si no puede actualizar inmediatamente, considere implementar protecciones contra invocaciones de Server Actions de larga duración, como establecer un tiempo máximo de ejecución.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-56332 is a Denial of Service vulnerability in Next.js Server Actions, allowing attackers to hang requests and potentially exhaust hosting provider resources.
You are affected if you are using Next.js versions prior to 13.5.8 and are utilizing Server Actions.
Upgrade to Next.js version 13.5.8 or later to resolve this vulnerability. Consider implementing rate limiting and request timeouts as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's potential impact warrants prompt mitigation.
Refer to the official Next.js security advisory for detailed information and updates: [https://github.com/vercel/next.js/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL when available)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。