CVE-2024-34351: Next.js Server-Side Request Forgery in Server Actions

May 9, 2024

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

References

github.com/advisories/GHSA-fr5h-rqp8-mj6g
github.com/vercel/next.js
github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085
github.com/vercel/next.js/pull/62561
github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g
nvd.nist.gov/vuln/detail/CVE-2024-34351

Code Behaviors & Features

Detect and mitigate CVE-2024-34351 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →