CVE-2024-51479
HIGHNext.js 9.5.5-14.2.14 - Improper Authorization via Pathname-Based Middleware Bypass
Title source: llmDescription
Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f
Release Notes x_refsource_misc
https://github.com/vercel/next.js/releases/tag/v14.2.15
Scores
CVSS v3
7.5
EPSS
0.7851
EPSS Percentile
99.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-285
CWE-863
Status
published
Products (2)
npm/next
9.5.5 - 14.2.15npm
vercel/next.js
9.5.5 - 14.2.15
Published
Dec 17, 2024
Tracked Since
Feb 18, 2026