CVE-2024-34350
CVSS V2 None
CVSS V3 None
Description
Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) feature in Next.js. The vulnerability is resolved in Next.js `13.5.1` and newer.
Overview
- CVE ID
- CVE-2024-34350
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-05-09T16:07:44.499Z
- Last Modified Date
- 2024-06-04T17:41:25.563Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf | x_refsource_CONFIRM |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-34350 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34350 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-26 14:22:13 | Added to TrackCVE |