关联漏洞
标题:
Next.js 安全漏洞
(CVE-2024-46982)
描述:Next.js是Vercel开源的一个 React 框架。 Next.js 13.5.1版本至14.2.10之前版本存在安全漏洞。攻击者利用该漏洞通过发送特制HTTP请求,毒害页面路由器中非动态服务器端呈现路由的缓存。
描述
The CVE-2024-46982 is cache poisoning of next_js some site have API to load their image
介绍
CVE-2024-4698 is a cache poisoning vulnerability in Next.js that impacts versions 13.5.1 to 13.5.7, as well as 14.0.0 through 14.2.10. The issue arises when websites leverage the _next/image?url= API with the ?url= parameter, enabling attackers to load images hosted on their own servers. These custom attacker images can also become permanently stored on the victim’s website, even if the attacker stops their Ngrok or Apache service.
Attackers can use tunneling tools like Ngrok or an Apache server to deliver malicious images from their local systems. Additionally, introducing delays in the script can help circumvent protections on servers that enforce timing-based upload restrictions.
文件快照
[4.0K] /data/pocs/2979c728a35da6d2c8b4c3b2df38e52baf8f0252
├── [1.8K] next_js_image_cache.py
└── [ 695] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。