Description

Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.

INFO

Published Date :

2024-05-09T16:14:16.236Z

Last Modified :

2024-08-02T02:51:09.867Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-34351 vulnerability.

Vendors Products
Vercel
  • Next.js
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-34351.

URL Resource
https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085 cve-icon cve-icon cve-icon
https://github.com/vercel/next.js/pull/62561 cve-icon cve-icon cve-icon
https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact