Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-7gfc-8cq8-jh5f

GitHub Security Advisory

Next.js authorization bypass vulnerability

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

### Patches
This issue was patched in Next.js `14.2.15` and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

### Workarounds
There are no official workarounds for this vulnerability.

#### Credits
We'd like to thank [tyage](http://github.com/tyage) (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

Affected Packages

npm next
Affected versions: 9.5.5 (fixed in 14.2.15)

Related CVEs

CVE-2024-51479

Key Information

GHSA ID
GHSA-7gfc-8cq8-jh5f
Published
December 17, 2024 3:09 PM
Last Modified
December 19, 2024 3:04 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
next
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.