fkie_cve-2024-56332
Vulnerability from fkie_nvd
Published
2025-01-03 21:15
Modified
2025-01-03 21:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds.
References
security-advisories@github.comhttps://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9
Impacted products
Vendor Product Version


To clipboard 

{
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds.",
      },
      {
         lang: "es",
         value: "Next.js es un framework React para crear aplicaciones web full-stack. A partir de la versión 13.0.0 y antes de las versiones 13.5.8, 14.2.21 y 15.1.2, Next.js es vulnerable a un ataque de denegación de servicio (DoS) que permite a los atacantes construir solicitudes que dejan las solicitudes a las acciones del servidor colgadas hasta que el proveedor de alojamiento cancele la ejecución de la función. Esta vulnerabilidad también se puede utilizar como un ataque de denegación de cartera (DoW) cuando se implementa en proveedores que facturan por tiempos de respuesta. (Nota: el servidor Next.js está inactivo durante ese tiempo y solo mantiene la conexión abierta. El uso de CPU y memoria es bajo durante ese tiempo). Las implementaciones sin ninguna protección contra invocaciones de acciones del servidor de larga duración son especialmente vulnerables. Los proveedores de alojamiento como Vercel o Netlify establecen una duración máxima predeterminada en la ejecución de la función para reducir el riesgo de facturación excesiva. Este es el mismo problema que si la solicitud HTTP entrante tiene un encabezado `Content-Length` no válido o nunca se cierra. Si el host no tiene otras mitigaciones para estas, entonces esta vulnerabilidad es nueva. Esta vulnerabilidad afecta solo a las implementaciones de Next.js que utilizan Acciones del servidor. El problema se resolvió en Next.js 13.5.8, 14.2.21 y 15.1.2. Recomendamos que los usuarios actualicen a una versión segura. No existen workarounds oficiales.",
      },
   ],
   id: "CVE-2024-56332",
   lastModified: "2025-01-03T21:15:13.550",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 5.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 1.4,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
      ],
   },
   published: "2025-01-03T21:15:13.550",
   references: [
      {
         source: "security-advisories@github.com",
         url: "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Awaiting Analysis",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-770",
            },
         ],
         source: "security-advisories@github.com",
         type: "Primary",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.