CVE-2024-51479: 
JavaScript vulnerability analysis and mitigation

Next.js, a popular React framework for building full-stack web applications, was found to contain a high-severity authorization bypass vulnerability (CVE-2024-51479) affecting versions 9.5.5 through 14.2.14. The vulnerability was discovered by tyage from GMO Cybersecurity by IERAE and received a CVSS score of 7.5. The issue allows unauthorized access to pages directly under the application's root directory when authorization is performed in middleware based on pathname (Security Online, GitHub Advisory).

The vulnerability specifically affects pages located directly under the application's root directory when authorization is performed in middleware based on pathname. For example, while 'example.com/' and 'example.com/foo/bar' are not affected, 'example.com/foo' is vulnerable to the authorization bypass. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that it can be exploited remotely with no privileges required (GitHub Advisory).

The impact of this vulnerability is significant due to Next.js's widespread adoption, with over 7.9 million weekly downloads on npm. The flaw could potentially expose sensitive application data to unauthorized users by bypassing authorization checks on affected pages. This poses a particular risk for applications that rely on middleware-based authorization for securing sensitive routes (Security Online).

The vulnerability has been patched in Next.js version 14.2.15 and later. Users are strongly urged to update their Next.js applications to the latest version immediately. For applications hosted on Vercel, the vulnerability has been automatically mitigated regardless of the Next.js version being used. There are no official workarounds for this vulnerability (GitHub Advisory).