Published Date: December 18, 2024
| Package | Affected Versions | Patched Versions | Severity |
|---|---|---|---|
| 📦 next (npm) | >= 9.5.5, < 14.2.15 | 14.2.15 | High |
Description
Overview
A high-severity vulnerability was recently identified in the Next.js framework, affecting applications that handle authorization in middleware.
Vulnerability Details
Package: next (available via npm)
Affected Versions: >= 9.5.5, < 14.2.15
Patched Version: 14.2.15
Description
This vulnerability occurs in Next.js applications where authorization checks in middleware depend on the URL pathname. Specifically, the issue allows an attacker to bypass these checks for pages directly under the application’s root directory.
For example:
Not affected: https://example.com/
Affected: https://example.com/foo
Not affected: https://example.com/foo/bar
Impact
If your application uses middleware for authorization and relies on pathname-based rules, it is at risk. Attackers could gain unauthorized access to certain pages, which might lead to sensitive data exposure or unauthorized actions.
A high-severity vulnerability was recently identified in the Next.js framework, affecting applications that handle authorization in middleware.
Vulnerability Details
Package: next (available via npm)
Affected Versions: >= 9.5.5, < 14.2.15
Patched Version: 14.2.15
Description
This vulnerability occurs in Next.js applications where authorization checks in middleware depend on the URL pathname. Specifically, the issue allows an attacker to bypass these checks for pages directly under the application’s root directory.
For example:
Not affected: https://example.com/
Affected: https://example.com/foo
Not affected: https://example.com/foo/bar
Impact
If your application uses middleware for authorization and relies on pathname-based rules, it is at risk. Attackers could gain unauthorized access to certain pages, which might lead to sensitive data exposure or unauthorized actions.
Patches & Workarounds
Patches
The vulnerability is fixed in Next.js version 14.2.15. Updating to this version or later resolves the issue.
If your application is hosted on Vercel, the vulnerability has been automatically mitigated, regardless of the Next.js version you’re using.
Workarounds
Unfortunately, there are no official workarounds. The best course of action is to update your application to the patched version immediately.
Recommendations
Update Next.js: If you’re running a vulnerable version, upgrade to 14.2.15 or later without delay.
Review Authorization Logic: Ensure that your middleware’s authorization rules are robust and not overly reliant on simple pathname checks.
Verify Hosting Environment: If you’re using Vercel, confirm that the automatic mitigation has been applied.
The vulnerability is fixed in Next.js version 14.2.15. Updating to this version or later resolves the issue.
If your application is hosted on Vercel, the vulnerability has been automatically mitigated, regardless of the Next.js version you’re using.
Workarounds
Unfortunately, there are no official workarounds. The best course of action is to update your application to the patched version immediately.
Recommendations
Update Next.js: If you’re running a vulnerable version, upgrade to 14.2.15 or later without delay.
Review Authorization Logic: Ensure that your middleware’s authorization rules are robust and not overly reliant on simple pathname checks.
Verify Hosting Environment: If you’re using Vercel, confirm that the automatic mitigation has been applied.
