Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cache Poisoning and XSS attacks caused a 500 status code (QoS issue) #75296

Open
ale-grosselle opened this issue Jan 24, 2025 · 0 comments
Open

Cache Poisoning and XSS attacks caused a 500 status code (QoS issue) #75296

ale-grosselle opened this issue Jan 24, 2025 · 0 comments
Labels
Pages Router Related to Pages Router. Runtime Related to Node.js or Edge Runtime with Next.js.

Comments

@ale-grosselle
Copy link

ale-grosselle commented Jan 24, 2025
edited
Loading

Link to the code that reproduces this issue

https://github.com/ale-grosselle/next-js-bug-500

To Reproduce

Fetch Request Example

  1. Run the application locally:
npm run dev
  1. Send the following fetch request (you can use Curl or send it using the browser console):
fetch("http://localhost:3002/gssp", {
  method: "GET",
  headers: {
    "x-now-route-matches": "-1"
  }
})
  .then((response) => {
    console.log("Status Code:", response.status);
    return response.text();
  })
  .then((data) => {
    console.log("Response Body:", data);
  })
  .catch((error) => {
    console.error("Error:", error);
  });
  1. Observe the 500 error in the response and the logs.

Current vs. Expected behavior

Image Image

Provide environment information

Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 23.6.0: Thu Sep 12 23:35:29 PDT 2024; root:xnu-10063.141.1.701.1~1/RELEASE_ARM64_T6000
  Available memory (MB): 32768
  Available CPU cores: 10
Binaries:
  Node: 20.12.1
  npm: 10.5.1
  Yarn: 1.22.22
  pnpm: 9.15.4
Relevant Packages:
  next: 14.2.23 // An outdated version detected (latest is 15.1.6), upgrade is highly recommended!
  eslint-config-next: N/A
  react: 18.3.1
  react-dom: 18.3.1
  typescript: 5.7.3
Next.js Config:
  output: N/A
 ⚠ An outdated version detected (latest is 15.1.6), upgrade is highly recommended!
   Please try the latest canary version (`npm install next@canary`) to confirm the issue still exists before creating a new issue.
   Read more - https://nextjs.org/docs/messages/opening-an-issue

Which area(s) are affected? (Select all that apply)

Pages Router, Runtime

Which stage(s) are affected? (Select all that apply)

Other (Deployed)

Additional context

Only version 14 (latest) has this issue, while version 15 does not have this problem.
On our side, it's a major problem because it generates many 500 errors when there's a potential attack, disrupts our QoS, and triggers the onColl (likely "on Collaboration" or "on Collect") alerts.

https://cyberpress.org/critical-vulnerability-in-next-js-framework-exposes-websites/
@github-actions github-actions bot added Pages Router Related to Pages Router. Runtime Related to Node.js or Edge Runtime with Next.js. labels Jan 24, 2025
@ale-grosselle ale-grosselle changed the title 500 status caused by Cache Poisoning and XSS attacks Cache Poisoning and XSS attacks caused a 500 status code (QoS issue) Jan 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Pages Router Related to Pages Router. Runtime Related to Node.js or Edge Runtime with Next.js.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ale-grosselle