CVE-2024-56332

{"id": "CVE-2024-56332", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-01-03T21:15:13.550", "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds."}, {"lang": "es", "value": "Next.js es un framework React para crear aplicaciones web full-stack. A partir de la versi\u00f3n 13.0.0 y antes de las versiones 13.5.8, 14.2.21 y 15.1.2, Next.js es vulnerable a un ataque de denegaci\u00f3n de servicio (DoS) que permite a los atacantes construir solicitudes que dejan las solicitudes a las acciones del servidor colgadas hasta que el proveedor de alojamiento cancele la ejecuci\u00f3n de la funci\u00f3n. Esta vulnerabilidad tambi\u00e9n se puede utilizar como un ataque de denegaci\u00f3n de cartera (DoW) cuando se implementa en proveedores que facturan por tiempos de respuesta. (Nota: el servidor Next.js est\u00e1 inactivo durante ese tiempo y solo mantiene la conexi\u00f3n abierta. El uso de CPU y memoria es bajo durante ese tiempo). Las implementaciones sin ninguna protecci\u00f3n contra invocaciones de acciones del servidor de larga duraci\u00f3n son especialmente vulnerables. Los proveedores de alojamiento como Vercel o Netlify establecen una duraci\u00f3n m\u00e1xima predeterminada en la ejecuci\u00f3n de la funci\u00f3n para reducir el riesgo de facturaci\u00f3n excesiva. Este es el mismo problema que si la solicitud HTTP entrante tiene un encabezado `Content-Length` no v\u00e1lido o nunca se cierra. Si el host no tiene otras mitigaciones para estas, entonces esta vulnerabilidad es nueva. Esta vulnerabilidad afecta solo a las implementaciones de Next.js que utilizan Acciones del servidor. El problema se resolvi\u00f3 en Next.js 13.5.8, 14.2.21 y 15.1.2. Recomendamos que los usuarios actualicen a una versi\u00f3n segura. No existen workarounds oficiales."}], "lastModified": "2025-09-10T15:48:41.830", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E7196D78-BDDA-4939-B9E0-89BCDA3C64C9", "versionEndExcluding": "13.5.8", "versionStartIncluding": "13.0.0"}, {"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D3BE3E65-BCF1-45DE-8154-E7FE187EB497", "versionEndExcluding": "14.2.21", "versionStartIncluding": "14.0.0"}, {"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "432A4401-5564-4D0B-82BD-11322EA7FEDF", "versionEndExcluding": "15.1.2", "versionStartIncluding": "15.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}