CVE-2024-34351

Next.js Server-Side Request Forgery in Server Actions

CVSS 7.5 HIGHEPSS 5.5%CWE-918

In short

A flaw in Next.js Server Actions allows attackers to trick the server into making requests by manipulating the Host header and triggering redirects, making it appear the server itself is the requester. This matters because it can expose internal services or resources that should only be accessible from within the network.

Technical detail

SSRF vulnerability in Next.js Server Actions triggered via Host header manipulation combined with relative path redirects (starting with /). Requires self-hosted Next.js deployment using Server Actions that perform redirects; attacker can forge requests appearing to originate from the application server, potentially accessing internal endpoints or exfiltrating sensitive data. Fixed in Next.js 14.1.1.

Summary generated and translated by AI from the official description.

Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

vercel · next.js

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085 https://github.com/vercel/next.js/pull/62561 https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g