Next.js Vulnerabilities - 20240513002

Overview

The WA SOC has been made aware of two vulnerabilities found in Next.js. Next.js is a React framework for building full-stack web applications.

What is vulnerable?

CVE	Severity	CVSS	Product(s) Affected	Summary	Dated
CVE-2024-34350	High	7.8	versions before 13.5.1	Response queue poisoning vulnerability exists due to inconsistent interpretation of crafted HTTP requests, which are meant to be treated as a single request and two separate requests	08/05/2024
CVE-2024-34351	High	7.8	versions before 14.1.1	A Server-Side Request Forgery (SSRF) vulnerability exists due to a vulnerable Next.js API endpoint _next/image used to locate an image in the backend	08/05/2024

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month... (refer Patch Management):

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-34350
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-34351

Additional References

• Critical Next.js Vulnerability Let Attackers Compromise Server Operations