CVE-2024-51479— Next.js 授权问题漏洞

Authorization bypass in Next.js

Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

授权机制不恰当

Next.js 授权问题漏洞

Next.js是Vercel开源的一个 React 框架。 Next.js 14.2.15之前版本存在授权问题漏洞，该漏洞源于如果应用程序根据路径名在中间件中执行授权，则应用程序根目录下的页面可能会绕过此授权。

N/A

N/A