CVE-2024-56332: 
JavaScript vulnerability analysis and mitigation

Next.js, a React framework for building full-stack web applications, was found to contain a vulnerability (CVE-2024-56332) affecting versions 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2. The vulnerability allows attackers to perform Denial of Service (DoS) attacks by constructing requests that leave Server Actions hanging until the hosting provider cancels the function execution (GitHub Advisory).

The vulnerability specifically affects Next.js deployments using Server Actions. When exploited, the Next.js server remains idle and maintains an open connection with low CPU and memory footprint. The issue is similar to scenarios where incoming HTTP requests have invalid Content-Length headers or never close. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

The vulnerability can be exploited as both a Denial of Service (DoS) attack and a Denial of Wallet (DoW) attack when deployed in providers that bill by response times. Deployments without protection against long-running Server Action invocations are particularly vulnerable, though hosting providers like Vercel and Netlify typically implement default maximum durations on function execution to mitigate excessive billing risks (Security Online).

The vulnerability has been patched in Next.js versions 13.5.8, 14.2.21, and 15.1.2. Users are strongly advised to upgrade to these patched versions as there are no official workarounds available (GitHub Advisory).