CVE-2024-34351
Published: 14 May 2024
Summary
CVE-2024-34351 is a high-severity SSRF (CWE-918) vulnerability in Vercel Next.Js. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Next.js, a React framework for building web applications, contains a Server-Side Request Forgery vulnerability in its Server Actions feature. The flaw is present when the framework runs in self-hosted mode, Server Actions are enabled, and an action performs a redirect to a relative path beginning with a forward slash; under these conditions an attacker who can alter the Host header can cause the application to issue requests that appear to originate from the server itself. The issue was corrected in Next.js version 14.1.1.
An unauthenticated remote attacker can exploit the weakness by crafting a request that manipulates the Host header and triggers a Server Action redirect. Successful exploitation grants the ability to reach internal or otherwise restricted network resources from the perspective of the Next.js server, resulting in high-impact information disclosure as reflected by the CVSS 7.5 rating and CWE-918 classification.
The official GitHub Security Advisory GHSA-fr5h-rqp8-mj6g and the associated pull request and commit (8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085) confirm that upgrading to Next.js 14.1.1 fully resolves the SSRF vector; no additional configuration changes are documented as required beyond the version update. The EPSS score has remained at its peak value of 0.9275 since disclosure, indicating sustained exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1607
Vulnerability details
Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an…
more
attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.