Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular open-source framework Next.js, demonstrating how improper caching mechanisms can lead to critical server-side cache poisoning attacks.

Developed by Vercel, Next.js remains a cornerstone for building server-rendered React applications; however, its popularity has also made it a lucrative target for threat actors.

The research, which culminated in significant bug bounty rewards, outlines novel exploitation techniques and underscores the importance of patching affected versions to mitigate potential damage.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Cache Poisoning via SSR and SSG

The report highlights vulnerabilities in two primary Next.js functions: getStaticProps (SSG) and getServerSideProps (SSR).

SSG is designed to pre-render static pages at build time, enabling public caching with directives such as s-maxage=31536000, stale-while-revalidate.

In contrast, SSR dynamically fetches and transmits data during requests, typically disabling caching with headers like private, no-cache, no-store.

The researcher discovered that by manipulating certain headers (e.g., x-now-route-matches) or internal URL parameters (__nextDataReq), it was possible to misclassify SSR requests as SSG.

This misclassification forces dynamic data to be cached improperly, opening the door for cache poisoning attacks.

Denial-of-Service (DoS) via Cache Poisoning

By exploiting caching misconfigurations, attackers can inject poisoned responses into a cache shared by all users.

For example, two requests for https://example.com/ and https://example.com/?__nextDataReq=1 could serve the same cached response if URL parameters are not part of the cache key.

An attacker can manipulate the cache to serve JSON data instead of standard HTML, resulting in a Denial-of-Service (DoS).

The research also demonstrates how a poisoned cache can lead to stored XSS vulnerabilities.

If a reflected value, such as a user-agent string, is injected into a cached response, it becomes possible to execute malicious scripts whenever users access the affected endpoint.

One example payload revealed an attacker embedding <img src=x onerror=alert('exploit')> in the cache, triggering a persistent XSS attack across all users accessing the endpoint.

This discovery highlights a severe impact on platform availability, confidentiality, and integrity, especially for sensitive systems like e-commerce or cryptocurrency exchanges.

The researcher identified a critical vulnerability, later cataloged as CVE-2024-46982, leveraging the stale-while-revalidate directive to poison caches.

Although the vulnerability primarily affected versions of Next.js between 13.5.1 and 14.2.9, deployments hosted on Vercel or using the newer app router architecture were unaffected.

The Vercel team released a patch addressing the issue, alongside a security advisory urging developers to apply updates immediately.

Next.js, with over six million weekly downloads, remains a foundational JavaScript framework for countless applications worldwide.

This investigation into cache poisoning exploits highlights the importance of rigorous security mechanisms and regular updates.

Beyond the technical implications, the findings showcase the role of bug bounty programs in uncovering and addressing vulnerabilities proactively.

The research emphasizes the potential for high-impact vulnerabilities, including Denial-of-Service (DoS) and Stored XSS, when cache mechanisms are improperly configured.

Developers leveraging Next.js are strongly advised to patch their frameworks and adopt a defensive approach to caching.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar