advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

[GHSA-77r5-gw3j-2mpf] Next.js Vulnerable to HTTP Request Smuggling

Open myHerbDev opened this issue 1 year ago • 2 comments

Updates

  • Affected products
  • CVSS

Comments Suggestions are submitted as a pull request to be reviewed by the GitHub Security Curators team.

myHerbDev avatar May 22 '24 01:05 myHerbDev

Hi there @jackwilson323! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

github avatar May 22 '24 01:05 github

Thanks for submitting this PR @myHerbDev. I think changing S:U to S:C is sensible.

At the same time, I'm considering if it's worth updating AC:L to AC:H. Based on the CVSS metric value definitions:

  • Low: Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
  • High: A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected

An attacker couldn't reliably exploit this against any Next.js app on the affected versions, they would require knowledge of which routes are performing rewrites. While this could (for some apps) be enumerated from open source code, I don't believe that's reliable enough and would start to creep into the definition of "measurable amount of effort in preparation..." from the AC:H metric.

Let me know your thoughts!

ghost avatar May 23 '24 12:05 ghost

Apologies for the delay on getting to this. Is this still something you're open to @jackwilson323? It looks like @myHerbDev might not be engaged here.

darakian avatar Jul 08 '24 18:07 darakian

Hey @darakian, I'm open to adjusting the CVSS to ensure the metrics are reflected correctly, but the actual benefit of doing so is somewhat limited as it would result in the same overall CVSS score as shown here.

ghost avatar Jul 09 '24 08:07 ghost

I mean the CVSS score is more than just a number. Users can filter on the specific components to better sort their alert flow, but ya that is also not a game changer. I do like the changes myself, so if you're ok with it I'll close this PR out as the myHerbDev seems to be afk or something and I'll make the changes manually on our end.

darakian avatar Jul 09 '24 17:07 darakian

Sounds good to me!

ghost avatar Jul 09 '24 18:07 ghost

Done and done 👍

darakian avatar Jul 09 '24 18:07 darakian