Cyber Resilience

CVE-2024-34351

High

Published: 14 May 2024

Published
14 May 2024
Modified
10 September 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9275 99.8th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-34351 is a high-severity SSRF (CWE-918) vulnerability in Vercel Next.Js. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Next.js, a React framework for building web applications, contains a Server-Side Request Forgery vulnerability in its Server Actions feature. The flaw is present when the framework runs in self-hosted mode, Server Actions are enabled, and an action performs a redirect to a relative path beginning with a forward slash; under these conditions an attacker who can alter the Host header can cause the application to issue requests that appear to originate from the server itself. The issue was corrected in Next.js version 14.1.1.

An unauthenticated remote attacker can exploit the weakness by crafting a request that manipulates the Host header and triggers a Server Action redirect. Successful exploitation grants the ability to reach internal or otherwise restricted network resources from the perspective of the Next.js server, resulting in high-impact information disclosure as reflected by the CVSS 7.5 rating and CWE-918 classification.

The official GitHub Security Advisory GHSA-fr5h-rqp8-mj6g and the associated pull request and commit (8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085) confirm that upgrading to Next.js 14.1.1 fully resolves the SSRF vector; no additional configuration changes are documented as required beyond the version update. The EPSS score has remained at its peak value of 0.9275 since disclosure, indicating sustained exploitation interest.

EU & UK References

Vulnerability details

Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an…

more

attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vercel
next.js
13.4.0 — 14.1.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References