Next.js Vulnerable to HTTP Request Smuggling
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
Details
### Impact Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) feature in Next.js. ### Patches The vulnerability is resolved in Next.js `13.5.1` and newer. This includes Next.js `14.x`. ### Workarounds There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version. ### References https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning
The fix
improve publish-release (#55597)
scripts/publish-release.js+12 −9
@@ -56,6 +56,8 @@ const cwd = process.cwd()],{ stdio: 'inherit' })+// Return here to avoid retry logic+return} catch (err) {console.error(`Failed to publish ${pkg}`, err)@@ -69,21 +71,22 @@ const cwd = process.cwd()return}-if (retry < 3) {-const retryDelaySeconds = 15-console.log(`retrying in ${retryDelaySeconds}s`)-await new Promise((resolve) =>-setTimeout(resolve, retryDelaySeconds * 1000)-)-await publish(pkg, retry + 1)+if (retry >= 3) {+throw err}-throw err} finally {publishSema.release()}+// Recursive call need to be outside of the publishSema+const retryDelaySeconds = 15+console.log(`retrying in ${retryDelaySeconds}s`)+await new Promise((resolve) =>+setTimeout(resolve, retryDelaySeconds * 1000)+)+await publish(pkg, retry + 1)}-await Promise.all(+await Promise.allSettled(packageDirs.map(async (packageDir) => {const pkgJson = await readJson(path.join(packagesDir, packageDir, 'package.json')
v13.5.1-canary.0
lerna.json+1 −1
@@ -16,5 +16,5 @@"registry": "https://registry.npmjs.org/"}},-"version": "13.5.0"+"version": "13.5.1-canary.0"}
packages/create-next-app/package.json+1 −1
@@ -1,6 +1,6 @@{"name": "create-next-app",-"version": "13.5.0",+"version": "13.5.1-canary.0","keywords": ["react","next",
packages/eslint-config-next/package.json+2 −2
@@ -1,6 +1,6 @@{"name": "eslint-config-next",-"version": "13.5.0",+"version": "13.5.1-canary.0","description": "ESLint configuration used by Next.js.","main": "index.js","license": "MIT",@@ -10,7 +10,7 @@},"homepage": "https://nextjs.org/docs/app/building-your-application/configuring/eslint#eslint-config","dependencies": {-"@next/eslint-plugin-next": "13.5.0",+"@next/eslint-plugin-next": "13.5.1-canary.0","@rushstack/eslint-patch": "^1.3.3","@typescript-eslint/parser": "^5.4.2 || ^6.0.0","eslint-import-resolver-node": "^0.3.6",
packages/eslint-plugin-next/package.json+1 −1
@@ -1,6 +1,6 @@{"name": "@next/eslint-plugin-next",-"version": "13.5.0",+"version": "13.5.1-canary.0","description": "ESLint plugin for NextJS.","main": "dist/index.js","license": "MIT",
packages/font/package.json+1 −1
@@ -1,6 +1,6 @@{"name": "@next/font",-"version": "13.5.0",+"version": "13.5.1-canary.0","repository": {"url": "vercel/next.js","directory": "packages/font"
packages/next-bundle-analyzer/package.json+1 −1
@@ -1,6 +1,6 @@{"name": "@next/bundle-analyzer",-"version": "13.5.0",+"version": "13.5.1-canary.0","main": "index.js","types": "index.d.ts","license": "MIT",
packages/next-codemod/package.json+1 −1
@@ -1,6 +1,6 @@{"name": "@next/codemod",-"version": "13.5.0",+"version": "13.5.1-canary.0","license": "MIT","repository": {"type": "git",
packages/next-env/package.json+1 −1
@@ -1,6 +1,6 @@{"name": "@next/env",-"version": "13.5.0",+"version": "13.5.1-canary.0","keywords": ["react","next",
References
- WEBhttps://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-34350
- WEBhttps://github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5
- PACKAGEhttps://github.com/vercel/next.js
- WEBhttps://github.com/vercel/next.js/compare/v13.5.0...v13.5.1