Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-46982 PoC — Cache Poisoning in next.js

Source
https://github.com/Lercas/CVE-2024-46982
Associated Vulnerability
Title:Cache Poisoning in next.js (CVE-2024-46982)
Description:Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.
Description
POC CVE-2024-46982
Readme
# Next.js Cache Poisoning Exploit

This Go script demonstrates a cache poisoning exploit targeting Next.js `_next/image` endpoints by manipulating cache keys and injecting attacker-controlled URLs.

## Features
- Copies a source image file multiple times.
- Generates crafted URLs pointing to an attacker's server.
- Automates sending requests to the vulnerable target endpoint.
- Cleans up temporary files after each iteration.
- Configurable via command-line options.

## Requirements
- Go 1.21 or newer.
- A publicly accessible server (e.g., using `ngrok`).

## Usage
Run the script with the following options:

```bash
go run main.go -s <source-image> -a <attacker-url> -t <target-url> -n <num-copies> -d <delay>
```

## Example

```bash
go run main.go -h 

Usage: exploit [OPTIONS]

Options:
  -s, --source-image  Path to the source image file
  -a, --attacker-url  Base URL of the attacker's server (required)
  -f, --file          Path to the file containing target URLs (one per line)
  -n, --num-copies    Number of image copies to create and upload (default: 5)
  -d, --delay         Delay between requests in seconds (default: 60)
  -h, --help          Show this help message and exit

Example:
  go run exploit.go -s chillguy.jpg -a http://attacker-ngrok-url -t https://victim-url.com -n 10 -d 30
```
File Snapshot

 [4.0K]  /data/pocs/c3557d0f851b6ee178e3e761d25b65313c2f7b55
├── [ 80K]  chill.jpg
├── [  36]  go.mod
├── [3.9K]  main.go
└── [1.3K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →