SCA: security update for next (GHSA-7m27-7ghc-44w9)

medium Tenable Self-Hosted Container Security Plugin ID 412123

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and
prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack
that allows attackers to construct requests that leaves requests to Server Actions hanging until the
hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet
(DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during
that time and only keeps the connection open. CPU and memory footprint are low during that time.).
Deployments without any protection against long running Server Action invocations are especially
vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution
to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an
invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this
vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The
issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe
version. There are no official workarounds. (CVE-2024-56332)

See Also

https://github.com/advisories/GHSA-7m27-7ghc-44w9

Plugin Details

Severity: Medium

ID: 412123

Version: Revision 1.14

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.2

Percentile: 51.06

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2024-56332

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/3/2025

Vulnerability Publication Date: 1/3/2025

Reference Information

CVE: CVE-2024-56332

cwe: CWE-770