CVE-2024-51479

Summary

Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.

Impact & exploitability

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products we track (1)

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

• NVD record
• https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5fAdvisory
• https://github.com/vercel/next.js/releases/tag/v14.2.15