CVE-2024-56332 Overview
CVE-2024-56332 is a Denial of Service (DoS) vulnerability affecting Next.js, the popular React framework for building full-stack web applications. This vulnerability allows attackers to construct malicious requests that cause Server Actions to hang indefinitely until the hosting provider terminates the function execution. The issue can also be leveraged as a Denial of Wallet (DoW) attack when deployed on providers that bill based on response times.
Critical Impact
Attackers can cause Server Actions to hang indefinitely, leading to service disruption and potential excessive billing on pay-per-use hosting platforms.
Affected Products
- Vercel Next.js versions 13.0.0 through 13.5.7
- Vercel Next.js versions 14.0.0 through 14.2.20
- Vercel Next.js versions 15.0.0 through 15.1.1
Discovery Timeline
- 2025-01-03 - CVE CVE-2024-56332 published to NVD
- 2025-09-10 - Last updated in NVD database
Technical Details for CVE-2024-56332
Vulnerability Analysis
This vulnerability stems from improper resource allocation handling in Next.js Server Actions (CWE-770: Allocation of Resources Without Limits or Throttling). When an attacker sends a specially crafted request to a Server Action endpoint, the server keeps the connection open indefinitely while remaining largely idle. Although CPU and memory footprint remain low during this time, the connection persists until external mechanisms (such as hosting provider timeouts) terminate it.
The vulnerability is functionally equivalent to sending an HTTP request with an invalid Content-Length header or a request that never closes. Deployments without protection against long-running Server Action invocations are especially vulnerable to exploitation.
Root Cause
The root cause lies in how Next.js handles incoming requests to Server Actions. The framework does not implement adequate timeout mechanisms or resource limits for these requests, allowing attackers to construct requests that exploit this lack of bounds checking. This falls under CWE-770 (Allocation of Resources Without Limits or Throttling), where the application fails to limit the resources allocated to individual requests.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can remotely target any Next.js deployment that uses Server Actions by sending specially crafted HTTP requests designed to exploit the connection handling weakness.
The attack works by constructing requests that cause the Server Action handler to wait indefinitely for input that never arrives, similar to HTTP request smuggling or slowloris-style attacks. Hosting providers like Vercel or Netlify typically set default maximum duration limits on function execution, which provides some mitigation, but deployments without such protections are fully exposed.
Detection Methods for CVE-2024-56332
Indicators of Compromise
- Unusual increase in long-running Server Action requests that do not complete
- Elevated connection counts to Server Action endpoints without corresponding response completion
- Unexpected billing spikes on hosting platforms that charge based on function execution time
- Server Action endpoints showing abnormal response time distributions
Detection Strategies
- Monitor Server Action endpoint response times for requests exceeding normal thresholds
- Implement alerting on connection counts that remain open beyond expected durations
- Review hosting provider logs for function execution timeouts related to Server Actions
- Analyze network traffic patterns for requests with malformed or missing Content-Length headers
Monitoring Recommendations
- Configure application performance monitoring (APM) to track Server Action execution durations
- Set up billing alerts on cloud hosting platforms to detect potential Denial of Wallet attacks
- Enable detailed logging for Server Action requests including connection lifecycle events
- Monitor for patterns consistent with slowloris-style attacks targeting Server Action endpoints
How to Mitigate CVE-2024-56332
Immediate Actions Required
- Upgrade Next.js to version 13.5.8, 14.2.21, or 15.1.2 depending on your major version
- Review hosting provider timeout configurations to ensure function execution limits are in place
- Audit all Server Action implementations in your application
- Implement rate limiting at the infrastructure level as a defense-in-depth measure
Patch Information
Vercel has addressed this vulnerability in Next.js versions 13.5.8, 14.2.21, and 15.1.2. Organizations should upgrade to the appropriate patched version based on their current major version deployment. Detailed information about the security fix is available in the GitHub Security Advisory GHSA-7m27-7ghc-44w9.
Workarounds
- There are no official workarounds provided by the vendor
- As a temporary measure, configure hosting provider function execution timeouts to minimize exposure
- Implement infrastructure-level request timeouts and rate limiting
- Consider temporarily disabling non-essential Server Actions until patches can be applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
