Threat Insight
Critical Next.js Authorization Bypass Vulnerability
A new vulnerability affecting Next.js (a React framework for building full-stack web applications) applications performing authorization in middleware (functions that are executed between the request and response cycles) based on pathname.
This specifically affects pages directly under the application’s root directory.
Example:
[Not affected] hxxps[://]example[.]com
[Affected] hxxps[://]example[.]com/foo
[Not affected] hxxps[://]example[.]com/foo/bar
Successful exploitation of this vulnerability, allows a remote unauthenticated attacker to gain access to restricted areas of the application that are meant for authorized users only.
They might also be able to modify data or potentially elevate their access level within the application.
CVE
CVE-2024-51479
Affected Products
next (npm) version >= 9.5.5, < 14.2.15
Exploitation
Although there have not been any reports of this vulnerability being exploited in the wild or of a publicly available proof-of-concept (PoC) exploit, Next.js is an open-source framework that is widely used and its code is publicly accessible.
This increases the likelihood of the CVE-2024-51479 vulnerability being scrutinized by malicious actors.
Recommended Actions
Apply the latest updates to Next.js, this vulnerability has been patched in version 14.2.15 and above.