CVE-2024-56332
Next.js Allows a Denial of Service (DoS) with Server Actions
Description
### Impact A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. _Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time._ Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. ### Patches This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version. ### Workarounds There are no official workarounds for this vulnerability. ### Credits Thanks to the PackDraw team for responsibly disclosing this vulnerability.
How to fix CVE-2024-56332
To remediate CVE-2024-56332, upgrade the affected package to a fixed version below.
- —upgrade to 13.5.8 or later
Is CVE-2024-56332 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 13.0.0, < 13.5.8
CVSS scores
| Source |
|---|