CVE-2024-46982 Overview
CVE-2024-46982 is a cache poisoning vulnerability in Next.js, a popular React framework for building full-stack web applications. By sending a crafted HTTP request, an attacker can poison the cache of a non-dynamic server-side rendered route in the pages router. This vulnerability does not affect the app router.
When the crafted request is sent, it coerces Next.js to cache a route that is meant to not be cached and sends a Cache-Control: s-maxage=1, stale-while-revalidate header, which some upstream CDNs may cache as well. This can lead to denial of service conditions where users receive stale or incorrect content.
Critical Impact
Attackers can force Next.js to cache non-dynamic server-side rendered pages that should not be cached, potentially causing widespread service disruption through CDN cache poisoning.
Affected Products
- Vercel Next.js versions 13.5.1 through 13.5.6
- Vercel Next.js versions 14.0.0 through 14.2.9
- Applications using the pages router with non-dynamic server-side rendered routes
Discovery Timeline
- 2024-09-17 - CVE-2024-46982 published to NVD
- 2025-09-10 - Last updated in NVD database
Technical Details for CVE-2024-46982
Vulnerability Analysis
This cache poisoning vulnerability exists in how Next.js handles the revalidation metadata for server-side rendered pages in the pages router. The issue stems from improper authorization handling (CWE-639: Authorization Bypass Through User-Controlled Key) where the caching behavior can be manipulated through specially crafted HTTP requests.
To be potentially affected, all of the following conditions must apply:
- Next.js version between 13.5.1 and 14.2.9
- Using the pages router (not the app router)
- Using non-dynamic server-side rendered routes (e.g., pages/dashboard.tsx not pages/blog/[slug].tsx)
The vulnerability allows an attacker to bypass the intended caching configuration, forcing the server to emit cache headers that indicate the response is cacheable when it should not be.
Root Cause
The root cause lies in the fallback revalidate value handling in packages/next/src/server/base-server.ts. When the revalidate value was undefined, the code defaulted to a minimum revalidate value of 1 second instead of properly respecting the absence of caching configuration. This default behavior could be triggered by crafted requests, causing routes intended to be uncached to receive caching headers.
Additionally, the packages/next/src/server/render.tsx file did not explicitly set metadata.revalidate = 0 after processing server-side props, leaving the caching behavior vulnerable to manipulation.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can send crafted HTTP requests to targeted Next.js applications to trigger the cache poisoning behavior. Once poisoned, upstream CDNs may cache the malicious response, amplifying the impact across all users accessing the affected route.
The attack targets the pages router's server-side rendering pipeline, exploiting the fallback caching logic to force inappropriate Cache-Control headers to be sent with responses.
// Security patch in packages/next/src/server/base-server.ts
// Source: https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3
return {
...result,
- revalidate:
- result.revalidate !== undefined
- ? result.revalidate
- : /* default to minimum revalidate (this should be an invariant) */ 1,
+ revalidate: result.revalidate,
}
},
{
// Security patch in packages/next/src/server/render.tsx
// Source: https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3
})
)
canAccessRes = false
+ metadata.revalidate = 0
} catch (serverSidePropsError: any) {
// remove not found error code to prevent triggering legacy
// 404 rendering
Detection Methods for CVE-2024-46982
Indicators of Compromise
- Unexpected Cache-Control: s-maxage=1, stale-while-revalidate headers on server-side rendered pages that should not be cached
- CDN cache hit ratios suddenly increasing for pages using getServerSideProps
- Reports of users receiving stale or incorrect content on dynamic pages
- Unusual HTTP request patterns targeting non-dynamic SSR routes
Detection Strategies
- Monitor HTTP response headers for unexpected Cache-Control directives on pages that use getServerSideProps
- Implement CDN logging to detect cache entries for routes that should bypass caching
- Set up alerts for anomalous cache behavior patterns in your CDN analytics
- Review web server access logs for crafted requests attempting to manipulate caching behavior
Monitoring Recommendations
- Enable verbose logging on your CDN to track cache hit/miss ratios per route
- Implement real-time monitoring for Cache-Control header anomalies in your Next.js application
- Set up synthetic monitoring to periodically verify that uncacheable routes are returning expected no-store or private cache directives
- Monitor for sudden changes in response times that could indicate cache poisoning affecting user experience
How to Mitigate CVE-2024-46982
Immediate Actions Required
- Upgrade Next.js to version 13.5.7, 14.2.10, or later immediately
- Audit your application for pages using the pages router with non-dynamic server-side rendered routes
- Review CDN cache configurations and consider purging caches for affected routes
- Verify that your application's caching behavior is working as expected after upgrading
Patch Information
Vercel has released security patches addressing this vulnerability:
- Next.js v13.5.7 - Patched version for 13.x branch
- Next.js v14.2.10 - Patched version for 14.x branch
The patches remove the fallback revalidate value logic and explicitly set revalidate = 0 for server-side props to prevent cache poisoning. The fix is available in the following commits:
For full details, see the GitHub Security Advisory GHSA-gp8f-8m3g-qvj9.
Workarounds
- There are no official or recommended workarounds for this vulnerability; patching to a safe version is the only recommended remediation
- As a temporary measure, consider adding explicit Cache-Control: no-store headers at the CDN or reverse proxy level for affected routes
- If upgrading is not immediately possible, consider temporarily disabling CDN caching for pages router SSR routes
# Upgrade Next.js to patched version
npm install next@14.2.10
# Or for yarn users
yarn add next@14.2.10
# Verify the installed version
npx next --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
