[GHSA-77r5-gw3j-2mpf] Next.js Vulnerable to HTTP Request Smuggling

[myHerbDev]

Updates

• Affected products
• CVSS

Comments Suggestions are submitted as a pull request to be reviewed by the GitHub Security Curators team.

[github]

Hi there @jackwilson323! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[jackwilson323]

Thanks for submitting this PR @myHerbDev. I think changing S:U to S:C is sensible.

At the same time, I'm considering if it's worth updating AC:L to AC:H. Based on the CVSS metric value definitions:

• Low: Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
• High: A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected

An attacker couldn't reliably exploit this against any Next.js app on the affected versions, they would require knowledge of which routes are performing rewrites. While this could (for some apps) be enumerated from open source code, I don't believe that's reliable enough and would start to creep into the definition of "measurable amount of effort in preparation..." from the AC:H metric.

Let me know your thoughts!

[darakian]

Apologies for the delay on getting to this. Is this still something you're open to @jackwilson323? It looks like @myHerbDev might not be engaged here.

[jackwilson323]

Hey @darakian, I'm open to adjusting the CVSS to ensure the metrics are reflected correctly, but the actual benefit of doing so is somewhat limited as it would result in the same overall CVSS score as shown here.

[darakian]

I mean the CVSS score is more than just a number. Users can filter on the specific components to better sort their alert flow, but ya that is also not a game changer. I do like the changes myself, so if you're ok with it I'll close this PR out as the myHerbDev seems to be afk or something and I'll make the changes manually on our end.

[jackwilson323]

Sounds good to me!

[darakian]

Done and done 👍