Update to latest version of nextjs

[dsotirho-ucsc]

From ZAP scan 2025-03-03
Severity: High

The identified library nextjs, version 14.2.13 is vulnerable.

Other Info: CVE-2024-51479

Identified at:

• https://explore.data.humancellatlas.org/_next/static/chunks/main-65ea4ed924b2af48.js
• https://explore.anvilproject.org/_next/static/chunks/main-65ea4ed924b2af48.js

Recommended solution:
Please upgrade to the latest version of nextjs.

[achave11-ucsc]

Assignee to coordinate with CC.

[bvizzier-ucsc]

@NoopDog Please address when you can. As a medium finding, it has a 30 day timer.

[achave11-ucsc]

Assignee to get commitment from CC as to when it will be done.

[NoopDog]

@bvizzier-ucsc @achave11-ucsc

• This issue is patched in Next.js 14.2.15
• We will update to the patch version next week.

However, note that:

This is a server-side vulnerability, and we have no server:

In affected versions, if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory.

• We are not performing authorization in middleware based on pathname.

[nolunwa-ucsc]

CVE-2024-51479 is a server-side vulnerability. It affects Next.js versions 9.5.5 to 14.2.14 and allows bypassing authorization checks when using pathname-based middleware for authorization. This means an attacker could gain unauthorized access to pages within the application.

Elaboration:

• Vulnerability: The vulnerability is a missing authorization check in Next.js when using path-based middleware to enforce access restrictions.
• Impact: If an attacker can trigger this vulnerability, they can bypass the authorization checks and gain unauthorized access to pages within the Next.js application.
• Affected Versions: The vulnerability impacts Next.js versions 9.5.5 to 14.2.14.
• Mitigation: The vulnerability has been fixed in Next.js version 14.2.15 and later. Apps on Vercel are also automatically protected.
• Server-Side: The vulnerability lies on the server side because the authorization check is performed by the middleware, which is part of the server-side code of the Next.js application.

@NoopDog i will still encourage your team to upgrade this week.

@dsotirho-ucsc this can be closed in the spreadheet and i will move this to closed in the POA&M