May 9, 2024

Advisory: Next.js SSRF (CVE-2024-34351)

Creative Commons license

Summary

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. An attacker is able to read the full HTTP response when successfully exploiting this SSRF issue.

Impact

An attacker can make arbitrary requests to URLs and read the full HTTP response made through these requests. As the requests originate from the server, an attacker could leverage this bug to access the internal network or metadata IPs for privilege escalation.

Affected Software

Next.js >=13.4 <14.1.1

Product Description

Next.js is an open-source web development framework created by the private company Vercel providing React-based web applications with server-side rendering and static website generation.

Solution

Upgrade to Next.js 14.1.1.

Blog Post

The blog post for this issue can be found here.

Credits

Shubham Shah - Assetnote Security Research Team

Adam Kues - Assetnote Security Researcher

Written by:

Shubham Shah

Adam Kues

Your subscription could not be saved. Please try again.

Your subscription has been successful.

Ready to get started?

Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.

Request a Demo