Acceptance of Extraneous Untrusted Data With Trusted Data Affecting next package, versions >=13.5.1 <13.5.7 >=14.0.0 <14.2.10
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-NEXT-8025427
- published 18 Sep 2024
- disclosed 17 Sep 2024
- credit Henry Chen, Allam Rachid
Introduced: 17 Sep 2024
CVE-2024-46982 Open this link in a new tabHow to fix?
Upgrade next
to version 13.5.7, 14.2.10 or higher.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data by sending a crafted HTTP request, which allows the attacker to poison the cache of a non-dynamic server-side rendered route in the page router. This will coerce the request to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, a stale-while-revalidate
header, which some upstream CDNs may cache as well.
Note:
This is only vulnerable if:
The user is using pages router
The user is using non-dynamic server-side rendered routes.
Users are not affected if:
They are using the app router
The deployments are on Vercel