CVE-2024-51479

Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vercel/next.js/releases/tag/v14.2.15	Release Notes
https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

History

10 Sep 2025, 15:48

Type	Values Removed	Values Added
CWE		CWE-863
First Time		Vercel Vercel next.js
CPE		cpe:2.3:a:vercel:next.js::::::node.js::*
References	~~() https://github.com/vercel/next.js/releases/tag/v14.2.15 -~~	() https://github.com/vercel/next.js/releases/tag/v14.2.15 - Release Notes
References	~~() https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f -~~	() https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f - Vendor Advisory

17 Dec 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-17 19:15

Updated : 2025-09-10 15:48

NVD link : CVE-2024-51479

Mitre link : CVE-2024-51479

CVE.ORG link : CVE-2024-51479

JSON object : View

Products Affected

vercel

next.js

CWE

CWE-285

Improper Authorization

CWE-863

Incorrect Authorization

{"id": "CVE-2024-51479", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-12-17T19:15:06.697", "references": [{"url": "https://github.com/vercel/next.js/releases/tag/v14.2.15", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability."}, {"lang": "es", "value": "Next.js es un framework de trabajo de React para crear aplicaciones web de pila completa. En las versiones afectadas, si una aplicaci\u00f3n Next.js realiza una autorizaci\u00f3n en middleware basada en una ruta de acceso, era posible omitir esta autorizaci\u00f3n para las p\u00e1ginas que se encuentran directamente bajo el directorio ra\u00edz de la aplicaci\u00f3n. Por ejemplo: * [No afectado] `https://example.com/` * [Afectado] `https://example.com/foo` * [No afectado] `https://example.com/foo/bar`. Este problema se solucion\u00f3 en Next.js `14.2.15` y versiones posteriores. Si su aplicaci\u00f3n Next.js est\u00e1 alojada en Vercel, esta vulnerabilidad se ha mitigado autom\u00e1ticamente, independientemente de la versi\u00f3n de Next.js. No existen workarounds oficiales para esta vulnerabilidad."}], "lastModified": "2025-09-10T15:48:08.253", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9509F63C-F836-4562-A8D0-C650082A399A", "versionEndExcluding": "14.2.15", "versionStartIncluding": "9.5.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}