Skip to content

Next.js Denial of Service (DoS) condition

High severity GitHub Reviewed Published Jul 10, 2024 in vercel/next.js • Updated Jul 10, 2024

Package

next (npm)

Affected versions

>= 13.4.0, < 13.5.0

Patched versions

13.5.0

Description

Impact

A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server.

This vulnerability can affect all Next.js deployments on the affected versions.

Patches

This vulnerability was resolved in Next.js 13.5 and later. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credit

We'd like to thank Thai Vu of flyseccorp.com for responsible disclosure of this vulnerability.

References

@jackwilson323 jackwilson323 published to vercel/next.js Jul 10, 2024
Published to the GitHub Advisory Database Jul 10, 2024
Reviewed Jul 10, 2024
Published by the National Vulnerability Database Jul 10, 2024
Last updated Jul 10, 2024

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2024-39693

GHSA ID

GHSA-fq54-2j52-jc42

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.