GHSA-7gfc-8cq8-jh5f
First published: Tue Dec 17 2024(Updated: )
### Impact If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar` ### Patches This issue was patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. ### Workarounds There are no official workarounds for this vulnerability. #### Credits We'd like to thank [tyage](http://github.com/tyage) (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/next | >=9.5.5<14.2.15 | 14.2.15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f
- https://github.com/vercel/next.js/commit/1c8234eb20bc8afd396b89999a00f06b61d72d7b
- https://nvd.nist.gov/vuln/detail/CVE-2024-51479
- https://github.com/vercel/next.js/releases/tag/v14.2.15
- https://github.com/advisories/GHSA-7gfc-8cq8-jh5f (Advisory)
- agent/severity
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/softwarecombine
- agent/description
- agent/type
- agent/event
- agent/first-publish-date
- agent/tags
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-7gfc-8cq8-jh5f
- alias/CVE-2024-51479
- agent/software-canonical-lookup
- package-manager/npm