HTTP Request Smuggling Affecting next package, versions >=13.4.0 <13.5.1


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (10th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-NEXT-6828456
  • published 10 May 2024
  • disclosed 9 May 2024
  • credit Eli Foster

How to fix?

Upgrade next to version 13.5.1 or higher.

Overview

next is a react framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to the inconsistent interpretation of crafted HTTP requests. An attacker can desynchronize server responses and poison the response queue by sending specially crafted HTTP requests that exploit the rewrites feature.

Note: This patch includes Next.js 14.x.

References

CVSS Scores

version 3.1
Expand this section

Snyk

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    High
  • Availability (A)
    None