Skip to content
This repository has been archived by the owner on Jul 2, 2024. It is now read-only.

Mitigate Next.js Vulnerability in Error Pages #116

Open
3 tasks
boulder225 opened this issue Apr 10, 2024 · 0 comments
Open
3 tasks

Mitigate Next.js Vulnerability in Error Pages #116

boulder225 opened this issue Apr 10, 2024 · 0 comments
Labels
pentest sayfer

Comments

@boulder225
Copy link

🎯 Problem to be solved

The inclusion of JavaScript code from Next.js v13.3.0, which has a known high-severity vulnerability (CVE-2023-46298), in error page responses poses a potential security risk and could lead to a Denial of Service (DoS) attack. This is specifically due to the https://obol.tech/blocked page. Need to fix the #103 PR and merge.

To fix, this PR obol-ui update is needed but the navbar component will not work as router.events were removed in nextjs newer versions. So route cause is fixing this

Pen testing report: https://docs.google.com/spreadsheets/d/1OUYfc41qVqvMiVpysQ0suyAYmMrA2XkfIz2ky9WHXKg/edit#gid=0

🛠️ Proposed solution

  • Upgrade to the latest version of Next.js
  • Remove or replace the vulnerable JavaScript code from error page responses
  • Implement Content Security Policy (CSP)
@github-actions github-actions bot added the launchpad Launchpad Team Tickets label Apr 10, 2024
@boulder225 boulder225 added pentest sayfer and removed launchpad Launchpad Team Tickets labels Apr 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
pentest sayfer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@boulder225