Next.js Vulnerable to HTTP Request Smuggling
Description
Next.js before 13.5.1 has a response queue poisoning vulnerability due to inconsistent HTTP request parsing when using rewrites.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Next.js before 13.5.1 has a response queue poisoning vulnerability due to inconsistent HTTP request parsing when using rewrites.
Vulnerability
Next.js versions prior to 13.5.1 are affected by a response queue poisoning vulnerability (CVE-2024-34350). The root cause is an inconsistent interpretation of crafted HTTP requests, where the server treats a single request as both one request and two separate requests, leading to desynchronized responses [1].
Exploitation
For successful exploitation, the affected route must be using the rewrites feature in Next.js. An attacker can send a specially crafted HTTP request that triggers the inconsistency, potentially allowing them to poison the response queue [1].
Impact and
Mitigation A successful attack could lead to response queue poisoning, which may enable an attacker to serve malicious content to subsequent users. The vulnerability is fixed in Next.js 13.5.1 and later versions [1][3]. Users should upgrade immediately.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nextnpm | >= 13.4.0, < 13.5.1 | 13.5.1 |
Affected products
2Patches
144eba020c615improve publish-release (#55597)
1 file changed · +12 −9
scripts/publish-release.js+12 −9 modified@@ -56,6 +56,8 @@ const cwd = process.cwd() ], { stdio: 'inherit' } ) + // Return here to avoid retry logic + return } catch (err) { console.error(`Failed to publish ${pkg}`, err) @@ -69,21 +71,22 @@ const cwd = process.cwd() return } - if (retry < 3) { - const retryDelaySeconds = 15 - console.log(`retrying in ${retryDelaySeconds}s`) - await new Promise((resolve) => - setTimeout(resolve, retryDelaySeconds * 1000) - ) - await publish(pkg, retry + 1) + if (retry >= 3) { + throw err } - throw err } finally { publishSema.release() } + // Recursive call need to be outside of the publishSema + const retryDelaySeconds = 15 + console.log(`retrying in ${retryDelaySeconds}s`) + await new Promise((resolve) => + setTimeout(resolve, retryDelaySeconds * 1000) + ) + await publish(pkg, retry + 1) } - await Promise.all( + await Promise.allSettled( packageDirs.map(async (packageDir) => { const pkgJson = await readJson( path.join(packagesDir, packageDir, 'package.json')
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-77r5-gw3j-2mpfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-34350ghsaADVISORY
- github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5ghsaWEB
- github.com/vercel/next.js/compare/v13.5.0...v13.5.1ghsaWEB
- github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.