Research Notes
May 9, 2024

Advisory: Next.js SSRF (CVE-2024-34351)

Creative Commons license


A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. An attacker is able to read the full HTTP response when successfully exploiting this SSRF issue.


An attacker can make arbitrary requests to URLs and read the full HTTP response made through these requests. As the requests originate from the server, an attacker could leverage this bug to access the internal network or metadata IPs for privilege escalation.

Affected Software

Next.js >=13.4 <14.1.1

Product Description

Next.js is an open-source web development framework created by the private company Vercel providing React-based web applications with server-side rendering and static website generation.


Upgrade to Next.js 14.1.1.

Blog Post

The blog post for this issue can be found here.


Shubham Shah - Assetnote Security Research Team

Adam Kues - Assetnote Security Researcher

Written by:
Shubham Shah
Adam Kues
Your subscription could not be saved. Please try again.
Your subscription has been successful.

Get updates on our research

Subscribe to our newsletter and stay updated on the newest research, security advisories, and more!

Ready to get started?

Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.