Sunday, February 9, 2025
HomeCyber AttackCritical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS...

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

Published on

SIEM as a Service

Follow Us on Google News

A new report has put the spotlight on potential security vulnerabilities within the popular open-source framework Next.js, demonstrating how improper caching mechanisms can lead to critical server-side cache poisoning attacks.

Developed by Vercel, Next.js remains a cornerstone for building server-rendered React applications; however, its popularity has also made it a lucrative target for threat actors.

The research, which culminated in significant bug bounty rewards, outlines novel exploitation techniques and underscores the importance of patching affected versions to mitigate potential damage.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Cache Poisoning via SSR and SSG

The report highlights vulnerabilities in two primary Next.js functions: getStaticProps (SSG) and getServerSideProps (SSR).

SSG is designed to pre-render static pages at build time, enabling public caching with directives such as s-maxage=31536000, stale-while-revalidate.

In contrast, SSR dynamically fetches and transmits data during requests, typically disabling caching with headers like private, no-cache, no-store.

The researcher discovered that by manipulating certain headers (e.g., x-now-route-matches) or internal URL parameters (__nextDataReq), it was possible to misclassify SSR requests as SSG.

This misclassification forces dynamic data to be cached improperly, opening the door for cache poisoning attacks.

Denial-of-Service (DoS) via Cache Poisoning

By exploiting caching misconfigurations, attackers can inject poisoned responses into a cache shared by all users.

For example, two requests for https://example.com/ and https://example.com/?__nextDataReq=1 could serve the same cached response if URL parameters are not part of the cache key.

An attacker can manipulate the cache to serve JSON data instead of standard HTML, resulting in a Denial-of-Service (DoS).

The research also demonstrates how a poisoned cache can lead to stored XSS vulnerabilities.

Cache Poisoning
Stored XSS on Next.js

If a reflected value, such as a user-agent string, is injected into a cached response, it becomes possible to execute malicious scripts whenever users access the affected endpoint.

One example payload revealed an attacker embedding <img src=x onerror=alert('exploit')> in the cache, triggering a persistent XSS attack across all users accessing the endpoint.

This discovery highlights a severe impact on platform availability, confidentiality, and integrity, especially for sensitive systems like e-commerce or cryptocurrency exchanges.

The researcher identified a critical vulnerability, later cataloged as CVE-2024-46982, leveraging the stale-while-revalidate directive to poison caches.

Although the vulnerability primarily affected versions of Next.js between 13.5.1 and 14.2.9, deployments hosted on Vercel or using the newer app router architecture were unaffected.

The Vercel team released a patch addressing the issue, alongside a security advisory urging developers to apply updates immediately.

Next.js, with over six million weekly downloads, remains a foundational JavaScript framework for countless applications worldwide.

This investigation into cache poisoning exploits highlights the importance of rigorous security mechanisms and regular updates.

Beyond the technical implications, the findings showcase the role of bug bounty programs in uncovering and addressing vulnerabilities proactively.

The research emphasizes the potential for high-impact vulnerabilities, including Denial-of-Service (DoS) and Stored XSS, when cache mechanisms are improperly configured.

Developers leveraging Next.js are strongly advised to patch their frameworks and adopt a defensive approach to caching.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...