CVE-2024-46982: Next.js Cache Poisoning
(updated )
By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.
To be potentially affected all of the following must apply:
- Next.js between 13.5.1 and 14.2.9
- Using pages router
- Using non-dynamic server-side rendered routes e.g.
pages/dashboard.tsxnotpages/blog/[slug].tsx
The below configurations are unaffected:
- Deployments using only app router
- Deployments on Vercel are not affected
References
- github.com/advisories/GHSA-gp8f-8m3g-qvj9
- github.com/vercel/next.js
- github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3
- github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda
- github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9
- nvd.nist.gov/vuln/detail/CVE-2024-46982
Detect and mitigate CVE-2024-46982 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →