Want to show the importance of securing popular frameworks and the risks of improper caching? This article on Next.js vulnerabilities is a must-read!

Risks:

Misconfiguration, Web App/Website Vulnerability, Open Source

Keywords:

Next.js, Cache Poisoning, Stored XSS, CVE-2024-46982, JavaScript Vulnerability, Web Security

CVE:

CVE-2024-46982

Affected:

Next.js

 

Critical Vulnerabilities in Next.js Framework: Cache Poisoning and XSS Attacks

Recent research has uncovered significant vulnerabilities in the Next.js framework, a widely used JavaScript platform. These vulnerabilities, affecting versions 13.5.1 to 14.2.9, involve cache poisoning and stored cross-site scripting (XSS) attacks. This discovery has prompted crucial discussions in the cybersecurity community about securing Next.js deployments.

Understanding the Vulnerabilities

The vulnerabilities arise from improper caching mechanisms within Next.js, particularly affecting data-fetching routes and the use of getStaticProps (SSG) and getServerSideProps (SSR). These functions can be manipulated by attackers when caching misconfigurations occur, leading to cache poisoning and stored XSS attacks.

Cache Poisoning Explained

Cache poisoning allows attackers to manipulate server-side caches by appending specific parameters and headers to requests. For instance, parameters like __nextDataReq and headers such as x-now-route-matches can trick the framework into caching dynamic SSR data as static SSG data. This results in restricted content being cached with long expiration times, causing users to receive corrupted content.

Example of Cache Poisoning:

• A standard request to a page such as /poc returns valid HTML.
• By adding __nextDataReq, the server might deliver a JSON object instead.
• When attackers combine parameters and headers during a cache refresh, they can override the expected content, causing service disruptions.

Stored XSS via Cache Poisoning

Stored XSS is a severe vulnerability where malicious scripts are stored on the server and later executed in users' browsers. In Next.js, an attacker can inject harmful payloads into cached content by exploiting how user-provided data (e.g., User-Agent, cookies, headers) is reflected using getServerSideProps.

Stored XSS Attack Vector:

A malicious payload can be served with a text/html content type, executing whenever users access the affected page without further interaction.

Example Payload:

GET /poc?__nextDataReq=1 HTTP/1.1 User-Agent: CP TO SXSS ON NEXT.JS : <img src=x onerror=alert('Exploit')> x-now-route-matches: 1

CVE-2024-46982 and Cache Misclassification

One identified vulnerability, CVE-2024-46982, shows how attackers can exploit caching directives like s-maxage and stale-while-revalidate. By tricking the framework into treating SSR requests as SSG requests, attackers can bypass no-cache controls, leading to private data being cached and reused, risking confidentiality.

Affected Deployments and Remediation Steps

These vulnerabilities impact static-route deployments using the Pages Router on non-Vercel-hosted sites. It is essential to upgrade to Next.js version 14.2.10 or later. Security measures include:

• Modifying cache keys to include dynamic request details (parameters, headers) to maintain cache integrity.
• Disabling stale-while-revalidate mechanisms for dynamic content.
• Conducting thorough code reviews for getServerSideProps implementations to prevent improper data reflection or caching.

Broader Implications

With over 6 million weekly downloads, Next.js's popularity means these vulnerabilities could significantly impact availability and user privacy on sensitive platforms. Although Vercel has released patches and advisories, organizations using Next.js must prioritize applying these updates and securing their implementations to protect against advanced exploitation techniques.

 

Read More

https://cyberpress.org/critical-vulnerability-in-next-js-framework-exposes-websites/?amp=1