Next.js is a popular React framework for building full-stack web applications. A security vulnerability (CVE-2024-56332) has been discovered in versions 13.. to 13.5.7, 14.. to 14.2.20, and 15.. to 15.1.1, affecting the server-side actions. This vulnerability can lead to a Denial of Service (DoS) attack if exploited correctly.
In this post, we'll discuss the details of this vulnerability and provide steps to resolve it, ensuring the security of your Next.js applications.
Vulnerability Details
A vulnerability exists in Next.js Server Actions that allows attackers to construct requests causing requests to hang until the hosting provider cancels the function execution. This vulnerability can also be exploited for a Denial of Wallet (DoW) attack when deployed on hosting providers that bill based on response times.
During the attack, the Next.js server remains idle, only keeping the connection open—resulting in a negligible CPU and memory footprint. This issue is similar to an incoming HTTP request with an invalid Content-Length header or an unclosed connection.
Deployments without any protection against long-running Server Action invocations are especially vulnerable to this exploit. Hosting providers like Vercel and Netlify often have a default maximum duration on function execution to mitigate this risk. However, if the host lacks mitigations against these issues, this vulnerability becomes more critical.
This vulnerability affects only Next.js deployments using Server Actions.
A malicious attacker could use the following code snippet to exploit this vulnerability
const maliciousRequest = async () => {
const response = await fetch('https://your-nextjs-app.com/api/your-server-action';, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': '10000000' // An invalid Content-Length value
},
body: JSON.stringify({ someData: 'payload' }),
});
console.log('Response:', response.status);
};
maliciousRequest();
Solution
The Next.js team has addressed this vulnerability in versions 13.5.8, 14.2.21, and 15.1.2. It is strongly recommended to upgrade your Next.js application to a secure version as soon as possible.
To upgrade Next.js, update your package.json with the following dependencies
{
"dependencies": {
"next": "15.1.2",
"react": "17..2",
"react-dom": "17..2"
}
}
Then, run the following command to install the new version
npm install
You can find more information on this vulnerability from the original references
- Next.js GitHub Repository
- CVE-2024-56332 Official Details
- Release Notes for Next.js 13.5.8
- Release Notes for Next.js 14.2.21
- Release Notes for Next.js 15.1.2
Conclusion
The CVE-2024-56332 vulnerability in Next.js is a serious issue that affects Server Actions in specific versions of the framework. Upgrading to the latest, secure version of Next.js is the best way to prevent exploitation of this vulnerability in your application. Be sure to stay up-to-date on security patches and always follow best practices to protect your deployments.
Timeline
Published on: 01/03/2025 21:15:13 UTC