CVE-2024-34350 Overview
CVE-2024-34350 is an HTTP Request Smuggling vulnerability in Next.js, Vercel's popular React framework for building web applications. The vulnerability stems from an inconsistent interpretation of crafted HTTP requests, where requests are treated as both a single request and two separate requests by Next.js. This desynchronization leads to response queue poisoning, potentially allowing attackers to manipulate responses served to other users.
Critical Impact
Attackers can exploit this vulnerability to poison the response queue, potentially serving malicious content to legitimate users or bypassing security controls in affected Next.js applications using the rewrites feature.
Affected Products
- Vercel Next.js versions prior to 13.5.1
- Next.js applications utilizing the rewrites feature
- Node.js deployments running vulnerable Next.js versions
Discovery Timeline
- 2024-05-14 - CVE-2024-34350 published to NVD
- 2025-09-10 - Last updated in NVD database
Technical Details for CVE-2024-34350
Vulnerability Analysis
This vulnerability is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests), commonly known as HTTP Request Smuggling. The flaw occurs when the Next.js server inconsistently parses HTTP request boundaries, causing a single malicious request to be interpreted as multiple requests. This creates a desynchronization between the front-end and back-end request processing, leading to response queue poisoning.
The attack surface is limited to Next.js applications that implement the rewrites feature in their next.config.js configuration. The rewrites feature allows developers to map incoming request paths to different destination paths, and it is within this request transformation logic that the inconsistent parsing occurs.
Root Cause
The root cause lies in how Next.js handles HTTP request parsing when the rewrites feature is enabled. The framework fails to properly normalize or validate certain crafted HTTP request structures, leading to ambiguous request boundary interpretation. When a specially crafted request is sent, Next.js processes it differently at various stages of the request pipeline, resulting in one request being treated as two separate requests internally.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable Next.js application that uses the rewrites feature. The crafted request exploits the parsing inconsistency to inject a second request into the processing queue. This can result in:
- Response queue poisoning where subsequent users receive incorrect responses
- Cache poisoning if caching mechanisms are in place
- Potential bypass of security controls that rely on proper request isolation
- Session hijacking or data leakage in multi-tenant environments
The attack leverages the discrepancy in how HTTP request boundaries are interpreted, allowing the attacker to "smuggle" a malicious request that gets processed in the context of another user's session or request.
Detection Methods for CVE-2024-34350
Indicators of Compromise
- Unusual HTTP response patterns where users receive unexpected content
- Log entries showing requests with malformed or duplicated headers
- Discrepancies between access logs showing single requests but application logs showing multiple request processing events
- Reports of users receiving responses intended for other users
Detection Strategies
- Monitor for HTTP requests with ambiguous Content-Length or Transfer-Encoding headers
- Implement request integrity validation at the application layer
- Deploy Web Application Firewall (WAF) rules to detect HTTP request smuggling patterns
- Review Next.js server logs for anomalous request parsing behavior
Monitoring Recommendations
- Enable detailed request logging in Next.js applications to capture full request headers
- Implement real-time alerting for HTTP desynchronization patterns
- Monitor for cache poisoning indicators if using CDN or caching layers
- Conduct regular security audits of applications using the rewrites feature
How to Mitigate CVE-2024-34350
Immediate Actions Required
- Upgrade Next.js to version 13.5.1 or newer immediately
- Audit all Next.js applications to identify those using the rewrites feature
- Review application logs for any signs of exploitation
- Consider temporarily disabling rewrites if immediate upgrade is not possible
Patch Information
Vercel has resolved this vulnerability in Next.js version 13.5.1 and all subsequent releases. Organizations should upgrade to the latest stable version of Next.js to ensure protection against this and other security issues. The patch addresses the inconsistent HTTP request parsing that enabled the response queue poisoning attack.
For detailed information about the vulnerability and the fix, refer to the GitHub Security Advisory GHSA-77r5-gw3j-2mpf.
Workarounds
- Temporarily disable the rewrites feature in next.config.js if upgrading is not immediately possible
- Deploy a reverse proxy or WAF configured to normalize HTTP requests before they reach the Next.js application
- Implement strict HTTP request validation at the network edge
- Use HTTP/2 where possible, as it uses binary framing that is less susceptible to smuggling attacks
# Upgrade Next.js to patched version
npm install next@13.5.1
# Or upgrade to latest stable version
npm install next@latest
# Verify installed version
npm list next
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
