Platform
nodejs
Component
next
Fixed in
13.4.1
14.1.1
CVE-2024-34351 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Next.js Server Actions. This flaw allows attackers to potentially manipulate requests to appear as if they originate from the Next.js application server itself, enabling unauthorized access to internal resources. The vulnerability affects Next.js versions prior to 14.1.1 running in self-hosted environments, specifically when Server Actions are utilized and redirect to relative paths.
The SSRF vulnerability in Next.js Server Actions allows an attacker to craft malicious requests that appear to originate from the Next.js application server. This can be exploited to access internal resources that are otherwise protected, such as internal APIs, databases, or cloud services. Specifically, the vulnerability is triggered when a Server Action performs a redirect to a relative path starting with a /. By manipulating the Host header, an attacker can bypass security controls and make requests to arbitrary internal or external URLs. The potential blast radius depends on the internal services accessible from the Next.js server; access to sensitive data or the ability to trigger actions on internal systems are possible outcomes. This vulnerability shares similarities with other SSRF exploits where attackers leverage the server's trust to access restricted resources.
CVE-2024-34351 was published on May 9, 2024. The vulnerability's EPSS score is currently pending evaluation, but the SSRF nature suggests a potential for medium to high probability of exploitation, especially given the widespread use of Next.js. No public Proof-of-Concept (PoC) exploits have been publicly released as of this writing, but the vulnerability's ease of understanding and potential impact make it a likely target for exploitation. Monitor security advisories from Next.js and related communities for updates and potential exploitation attempts.
Exploit Status
EPSS
92.75% (100% percentile)
CISA SSVC
The primary mitigation for CVE-2024-34351 is to upgrade to Next.js version 14.1.1 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. Carefully review and validate all user-supplied input used in Server Actions, particularly the Host header. Implement strict input validation and sanitization to prevent attackers from manipulating the header. Consider using a Web Application Firewall (WAF) or reverse proxy to filter out malicious requests and restrict outbound connections from the Next.js application. Additionally, review the application's configuration to ensure that Server Actions are not configured to perform redirects to untrusted relative paths. After upgrading, confirm the fix by attempting to trigger the vulnerable Server Action with a modified Host header and verifying that the request is rejected.
Update Next.js to version 14.1.1 or higher. This version contains the fix for the SSRF vulnerability in Server Actions. Ensure your Next.js application is running the patched version to mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
It's an SSRF vulnerability in Next.js Server Actions, allowing attackers to make requests appearing from the server itself.
You're affected if you're using Next.js versions <14.1.1 in a self-hosted environment, using Server Actions, and redirecting to relative paths.
Upgrade to Next.js 14.1.1 or later. Implement input validation and consider a WAF as temporary measures.
No public PoCs exist yet, but the vulnerability's nature makes it a potential target.
Refer to the official Next.js security advisory and the NVD entry for CVE-2024-34351.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.