====================================================================

                                CERT-Renater

                     Note d'Information No. 2024/VULN374
_____________________________________________________________________

DATE                : 18/09/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Next.js versions prior to 13.5.7,
                                         14.2.10.

=====================================================================
https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9
_____________________________________________________________________

Cache Poisoning
High
ijjk published GHSA-gp8f-8m3g-qvj9 Sep 17, 2024

Package
next (npm)

Affected versions
>=13.5.1
<14.2.10

Patched versions
13.5.7
14.2.10


Description
Impact

By sending a crafted HTTP request, it is possible to poison the cache
of a non-dynamic server-side rendered route in the pages router (this
does not affect the app router). When this crafted request is sent it
could coerce Next.js to cache a route that is meant to not be cached
and send a Cache-Control: s-maxage=1, stale-while-revalidate header
which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

     Next.js between 13.5.1 and 14.2.9
     Using pages router
     Using non-dynamic server-side rendered routes e.g.
pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

     Deployments using only app router
     Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later.
We recommend upgrading regardless of whether you can reproduce the issue
or not.


Workarounds

There are no official or recommended workarounds for this issue, we
recommend that users patch to a safe version.


Credits

     Allam Rachid (zhero_)
     Henry Chen


Severity
High

7.5/ 10

CVSS v3 base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
None

User interaction
None

Scope
Unchanged

Confidentiality
None

Integrity
None

Availability
High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2024-46982

Weaknesses
No CWEs


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================