CVE-2024-56332

EPSS 0.73%
Veröffentlicht 03.01.2025 21:15:13
Zuletzt bearbeitet 10.09.2025 15:48:41
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vercel ≫ Next.Js SwPlatformnode.js Version >= 13.0.0 < 13.5.8

Vercel ≫ Next.Js SwPlatformnode.js Version >= 14.0.0 < 14.2.21

Vercel ≫ Next.Js SwPlatformnode.js Version >= 15.0.0 < 15.1.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.73%	0.719

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-56332

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-56332

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-56332

EUVD