{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T07:34:04.380","vulnerabilities":[{"cve":{"id":"CVE-2024-34350","sourceIdentifier":"security-advisories@github.com","published":"2024-05-14T15:38:41.890","lastModified":"2025-09-10T15:36:59.130","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) feature in Next.js. The vulnerability is resolved in Next.js `13.5.1` and newer."},{"lang":"es","value":"Next.js es un framework React que puede proporcionar componentes básicos para crear aplicaciones web. Antes de 13.5.1, una interpretación inconsistente de una solicitud HTTP manipulada significaba que Next.js trataba las solicitudes como una sola solicitud y como dos solicitudes separadas, lo que generaba respuestas desincronizadas. Esto provocó una vulnerabilidad de envenenamiento de la cola de respuestas en las versiones de Next.js afectadas. Para que una solicitud fuera explotable, la ruta afectada también tenía que utilizar la función [reescrituras](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) en Next. js. La vulnerabilidad se resuelve en Next.js `13.5.1` y versiones posteriores."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-444"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*","versionStartIncluding":"13.4.0","versionEndExcluding":"13.5.1","matchCriteriaId":"20103AF7-B873-4F22-B963-7D88189BD9E8"}]}]}],"references":[{"url":"https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}