HTTP Request Smuggling Affecting next package, versions >=13.4.0 <13.5.1


Severity

0.0
high
0
10

    Threat Intelligence

    EPSS
    0.04% (9th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-NEXT-6828456
  • published 10 May 2024
  • disclosed 9 May 2024
  • credit Eli Foster

How to fix?

Upgrade next to version 13.5.1 or higher.

Overview

next is a react framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to the inconsistent interpretation of crafted HTTP requests. An attacker can desynchronize server responses and poison the response queue by sending specially crafted HTTP requests that exploit the rewrites feature.

Note: This patch includes Next.js 14.x.

References

CVSS Scores

version 3.1
Expand this section

Snyk

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    High
  • Availability (A)
    None