cbcvebase.
CVE-2024-34351
published 2024-05-14

CVE-2024-34351: Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in…

PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
5.45%
91.7th percentile
Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.

Affected

3 ranges
VendorProductVersion rangeFixed in
nextnext>= 13.4.0 < 14.1.114.1.1
vercelnext.js
vercelnext.js>= 13.4.0 < 14.1.114.1.1

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/_next/image?w=16&q=10&url=http://{{interactsh-url}}
url{{BaseURL}}/_next/image?w=16&q=10&url=https://{{interactsh-url}}
path/_next/image
path/_next/static
  • Probe the /_next/image endpoint with an external SSRF callback URL (e.g. interactsh) as the `url` parameter; a successful hit returns the string "The requested resource isn't a valid image" in the response body alongside an outbound HTTP request to the callback host.
  • Modify the HTTP `Host` header to an attacker-controlled value when triggering a Server Action that redirects to a relative path starting with `/`; the server will issue an outbound request to the attacker-supplied host, enabling SSRF.
  • Fingerprint vulnerable Next.js instances by searching for `/_next/static` in HTTP response bodies (Shodan/FOFA) before attempting exploitation.
  • Exploitation requires all three conditions: Next.js self-hosted, Server Actions in use, and a Server Action that redirects to a relative path beginning with `/`.
  • ·Vulnerability only affects Next.js versions prior to 14.1.1; instances running 14.1.1 or later are not affected.
  • ·The SSRF is only exploitable in self-hosted deployments; managed/Vercel-hosted deployments are not listed as affected.
  • ·The Nuclei template targets the image optimization endpoint (`/_next/image`) for detection, but the root vulnerability is in Server Actions — the template serves as a practical SSRF probe rather than a direct Server Actions exploit.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.