CVE-2024-56332

Published Jan 3, 2025

Last updated 8 months ago

CVSS medium 5.3

Overview

Description
Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds.
Source
security-advisories@github.com
NVD status
Analyzed
Products
next.js

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity
MEDIUM

Weaknesses

security-advisories@github.com
CWE-770

Social media

Hype score
Not currently trending

  1. 記事を投稿しました! Next.js の脆弱性 CVE-2024-56332 への対応 [pdfjs] on #Qiita https://t.co/GqzXKs02QY

    @Hogeta_KL

    17 Jan 2025

    51 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚠️Next.js Vulnerable a Denegación de Servicio (DoS) con peticiones a Server Actions 🚨CVE-2024-56332 https://t.co/gkFdkOa8dc… https://t.co/vAuEi2RtVJ

    @doncaptador

    8 Jan 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ⚠️Next.js Vulnerable a Denegación de Servicio (DoS) con peticiones a Server Actions 🚨CVE-2024-56332 https://t.co/NETtyOxReq https://t.co/LMPWaUngp6

    @elhackernet

    8 Jan 2025

    1557 Impressions

    0 Retweets

    4 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  4. Next.js Patches Denial-of-Service Vulnerability (CVE-2024-56332) in Server Actions. #cybersecurity #informationsecurity https://t.co/mj1PbvFlnq

    @SecAdvsAlerts

    5 Jan 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. #Vulnerability #CVE202456332 Next.js Patches Denial-of-Service Vulnerability (CVE-2024-56332) in Server Actions https://t.co/OdUauRXwbW

    @Komodosec

    4 Jan 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 Next.js has addressed a critical DoS vulnerability (CVE-2024-56332) in Server Actions that could exhaust server resources. Users should update to versions v14.2.21, v15.1.2, or v13.5.8 for safety. 🇺🇸 #NextJS #ServerSecurity #CybersecurityNews link: https://t.co/46S5VTz4QT h

    @TweetThreatNews

    4 Jan 2025

    29 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨🚨CVE-2024-56332: Next.js Vulnerable to Denial of Service (DoS) with Server Actions ⚠️A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. ZoomEye… http

    @zoomeye_team

    4 Jan 2025

    1445 Impressions

    3 Retweets

    11 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  8. Next.js Patches Denial-of-Service Vulnerability (CVE-2024-56332) in Server Actions https://t.co/3Q8lRl3x1W

    @WhalersLtd

    4 Jan 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Next.js, Server Actions’da Denial-of-Service (DoS) Zafiyetini Giderdi (CVE-2024-56332) https://t.co/Vc1NYxslv4

    @cyberwebeyeos

    4 Jan 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2024-56332 Denial of Service Vulnerability in Next.js Server Actions (Fixed) Next.js is a React framework for full-stack web apps. In versions from 13.0.0 to before 13.5.8, 14.2.21, and 15.1.2, it has a Denia... https://t.co/2R4rVteAH3

    @VulmonFeeds

    3 Jan 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. CVE-2024-56332 Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulner… https://t.co/FuszjozEKZ

    @CVEnew

    3 Jan 2025

    547 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in an upstream library vendored by Next.js. It is fixed in Next.js 15.5.13 and 16.1.7 by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. If upgrading is not immediately possible, block chunked `DELETE`/`OPTIONS` requests on rewritten routes at the edge/proxy, and/or enforce authentication/authorization on backend routes.CVE-2026-29057
  2. Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).CVE-2026-27980
  3. Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client.CVE-2026-27979
  4. Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.CVE-2026-27978
  5. Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy.CVE-2026-27977

References

Sources include official advisories and independent security research.