CVE-2024-34351 - Next.js SSRF Vulnerability: Exploit and Mitigation

Next.js, the popular React framework used for building modern web applications, recently patched a Server-Side Request Forgery (SSRF) vulnerability (CVE-2024-34351) in its Server Actions component. This vulnerability allowed an attacker to make requests that appeared to originate from the Next.js application server, potentially causing serious security risks.

In this post, we will discuss the details of this vulnerability, how to exploit it, and the steps to secure your Next.js applications.

Original References

- CVE-2024-34351 Details
- Next.js Patch Release Notes

Exploit Details

The SSRF exploit in Next.js Server Actions occurs when the Host header is manipulated. The following conditions must be met for the vulnerability to be exploited:

1. The Next.js application must be running in a self-hosted manner (e.g., not using a managed service like Vercel);

The application must make use of Server Actions; and

3. The Server Action must perform a redirect to a relative path starting with /.

Let's go through an example to illustrate the attack.

Suppose we have a Next.js application with the following Server Action

// pages/api/action.js
export default function handler(req, res) {
  res.redirect('/other-page');
}

In this example, the Server Action redirects users to /other-page. An attacker can modify the Host header of their request and trigger the SSRF vulnerability:

GET /api/action HTTP/1.1
Host: evil.com

With the manipulated Host header, the Next.js application will perform the redirect to evil.com/other-page, leading to the SSRF issue.

Mitigation

To protect your Next.js applications from this SSRF vulnerability, update your application to Next.js version 14.1.1 or later, which contains the security patch for this issue. You can update your Next.js project by modifying the package.json file:

{
  "dependencies": {
    "next": "14.1.1",
    // ...
  }
}

After updating the package.json file, run the following command to install the patched version of Next.js:

npm install

Additional Tips

- Always keep your Next.js projects updated to the latest stable version to receive the latest security patches and features.

Conclusion

The SSRF vulnerability in Next.js Server Actions (CVE-2024-34351) can potentially compromise the security of your web applications. By updating your Next.js application to version 14.1.1 and following the additional security tips mentioned above, you can protect your applications from such vulnerabilities. Stay vigilant and secure your applications to ensure the safety of your users and your infrastructure.

Timeline

Published on: 05/14/2024 15:38:42 UTC
Last modified on: 05/14/2024 16:12:23 UTC