Vulnerability Report

CVE-2024-34350

Title: Vercel Next.Js

Other

Proof Of Concept

PoC Available for CVE-2024-34350

CWE Category CWE-444

Published Date May 14, 2024

Modified Date Sep 10, 2025

Exploit Status Available

Score 7.5 CVSS v3.1

Exploit Probability (EPSS)

0.89%

Vulnerability Summary

CVE-2024-34350: Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) feature in Next.js. The vulnerability is resolved in Next.js `13.5.1` and newer.

Impacted Vendors

zeit 1

vercel 1

kanopi 1

Reference Links

https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2024-34350 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/Sudistark/rewrites-nextjs-CVE-2024-34350

View Code

September 10, 2025 MODIFIED

Vulnerability data or affected products updated.

May 14, 2024 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Stack

No specific products linked.