CVE-2024-34351
published 2024-05-14CVE-2024-34351: Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in…
PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
5.45%
91.7th percentile
Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 13.4.0 < 14.1.1 | 14.1.1 |
| vercel | next.js | — | — |
| vercel | next.js | >= 13.4.0 < 14.1.1 | 14.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/_next/image?w=16&q=10&url=http://{{interactsh-url}}
url{{BaseURL}}/_next/image?w=16&q=10&url=https://{{interactsh-url}}
path/_next/image
path/_next/static
- →Probe the /_next/image endpoint with an external SSRF callback URL (e.g. interactsh) as the `url` parameter; a successful hit returns the string "The requested resource isn't a valid image" in the response body alongside an outbound HTTP request to the callback host.
- →Modify the HTTP `Host` header to an attacker-controlled value when triggering a Server Action that redirects to a relative path starting with `/`; the server will issue an outbound request to the attacker-supplied host, enabling SSRF. ↗
- →Fingerprint vulnerable Next.js instances by searching for `/_next/static` in HTTP response bodies (Shodan/FOFA) before attempting exploitation.
- →Exploitation requires all three conditions: Next.js self-hosted, Server Actions in use, and a Server Action that redirects to a relative path beginning with `/`. ↗
- ·Vulnerability only affects Next.js versions prior to 14.1.1; instances running 14.1.1 or later are not affected. ↗
- ·The SSRF is only exploitable in self-hosted deployments; managed/Vercel-hosted deployments are not listed as affected. ↗
- ·The Nuclei template targets the image optimization endpoint (`/_next/image`) for detection, but the root vulnerability is in Server Actions — the template serves as a practical SSRF probe rather than a direct Server Actions exploit.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Next.js Server-Side Request Forgery in Server Actions
osv·2024-05-09
CVE-2024-34351 [HIGH] Next.js Server-Side Request Forgery in Server Actions
Next.js Server-Side Request Forgery in Server Actions
### Impact
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.
#### Prerequisites
* Next.js (`<14.1.1`) is running in a self-hosted* manner.
* The Next.js application makes use of Server Actions.
* The Server Action performs a redirect to a relative path which starts with a `/`.
\* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this man
GHSA
Next.js Server-Side Request Forgery in Server Actions
ghsa·2024-05-09
CVE-2024-34351 [HIGH] CWE-918 Next.js Server-Side Request Forgery in Server Actions
Next.js Server-Side Request Forgery in Server Actions
### Impact
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.
#### Prerequisites
* Next.js (`<14.1.1`) is running in a self-hosted* manner.
* The Next.js application makes use of Server Actions.
* The Server Action performs a redirect to a relative path which starts with a `/`.
\* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this man
Red Hat
next: Next.js Server-Side Request Forgery in Server Actions
vendor_redhat·2024-05-09·CVSS 7.5
CVE-2024-34351 [HIGH] CWE-918 next: Next.js Server-Side Request Forgery in Server Actions
next: Next.js Server-Side Request Forgery in Server Actions
Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If t
No detection rules found.
Nuclei
Next.js - Server Side Request Forgery (SSRF)
nuclei·CVSS 7.5
CVE-2024-34351 [HIGH] Next.js - Server Side Request Forgery (SSRF)
Next.js - Server Side Request Forgery (SSRF)
Next.Js, inferior to version 14.1.1, have its image optimization built-in component prone to SSRF.
Template:
id: CVE-2024-34351
info:
name: Next.js - Server Side Request Forgery (SSRF)
author: righettod
severity: high
description: |
Next.Js, inferior to version 14.1.1, have its image optimization built-in component prone to SSRF.
impact: |
Unauthenticated attackers can force the Next.js server to make requests to arbitrary internal or external resources.
remediation: |
Update Next.js to version 14.1.1 or later.
reference:
- https://www.assetnote.io/resources/research/digging-for-ssrf-in-nextjs-apps
- https://nvd.nist.gov/vuln/detail/CVE-2024-34351
- https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g
- https://github.co
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2024-34351 mozjs140: Next.js Server-Side Request Forgery in Server Actions [fedora-all]
bugzilla·2026-04-06·CVSS 7.5
CVE-2024-34351 [HIGH] CVE-2024-34351 mozjs140: Next.js Server-Side Request Forgery in Server Actions [fedora-all]
CVE-2024-34351 mozjs140: Next.js Server-Side Request Forgery in Server Actions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2024-34351 conky: Next.js Server-Side Request Forgery in Server Actions [fedora-all]
bugzilla·2026-04-06·CVSS 7.5
CVE-2024-34351 [HIGH] CVE-2024-34351 conky: Next.js Server-Side Request Forgery in Server Actions [fedora-all]
CVE-2024-34351 conky: Next.js Server-Side Request Forgery in Server Actions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2024-34351 conky: Next.js Server-Side Request Forgery in Server Actions [epel-all]
bugzilla·2026-04-06·CVSS 7.5
CVE-2024-34351 [HIGH] CVE-2024-34351 conky: Next.js Server-Side Request Forgery in Server Actions [epel-all]
CVE-2024-34351 conky: Next.js Server-Side Request Forgery in Server Actions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2024-34351 icecat: Next.js Server-Side Request Forgery in Server Actions [fedora-all]
bugzilla·2026-04-06·CVSS 7.5
CVE-2024-34351 [HIGH] CVE-2024-34351 icecat: Next.js Server-Side Request Forgery in Server Actions [fedora-all]
CVE-2024-34351 icecat: Next.js Server-Side Request Forgery in Server Actions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2024-34351 mozjs128: Next.js Server-Side Request Forgery in Server Actions [fedora-all]
bugzilla·2026-04-06·CVSS 7.5
CVE-2024-34351 [HIGH] CVE-2024-34351 mozjs128: Next.js Server-Side Request Forgery in Server Actions [fedora-all]
CVE-2024-34351 mozjs128: Next.js Server-Side Request Forgery in Server Actions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2024-34351 next: Next.js Server-Side Request Forgery in Server Actions
bugzilla·2026-04-02·CVSS 7.5
CVE-2024-34351 [HIGH] CVE-2024-34351 next: Next.js Server-Side Request Forgery in Server Actions
CVE-2024-34351 next: Next.js Server-Side Request Forgery in Server Actions
Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.
https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085https://github.com/vercel/next.js/pull/62561https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6ghttps://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085https://github.com/vercel/next.js/pull/62561https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g
2024-05-14
Published