Home > Vulnerability Database > CVE-2024-51479

Mend.io Vulnerability Database

CVE-2024-51479

Good to know:

Date: December 17, 2024

Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] "https://example.com/"; * [Affected] "https://example.com/foo"; * [Not affected] "https://example.com/foo/bar";. This issue is patched in Next.js "14.2.15" and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.

Severity Score

7.5

Related Resources (6)

Url: https://github.com/vercel/next.js/commit/1c8234eb20bc8afd396b89999a00f06b61d72d7b

Url: https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f

Url: https://github.com/vercel/next.js/releases/tag/v14.2.15

Url: https://github.com/vercel/next.js

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-51479

Url: https://www.mend.io/vulnerability-database/CVE-2024-51479

Severity Score

7.5

Weakness Type (CWE)

Improper Authorization

CWE-285

Incorrect Authorization

CWE-863

Top Fix

Upgrade Version

Upgrade to version next - 14.2.15

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-51479

Good to know:

Date: December 17, 2024

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?