Server-Side Request Forgery (SSRF) Affecting next package, versions >=13.4.0 <14.1.1


Severity

0.0
medium
0
10

    Threat Intelligence

    EPSS
    0.06% (27th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-NEXT-6828457
  • published 10 May 2024
  • disclosed 9 May 2024
  • credit Adam Kues, Shubham Shah

How to fix?

Upgrade next to version 14.1.1 or higher.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) through the Host header manipulation. An attacker can make unauthorized requests appearing to originate from the server.

Notes:

Prerequisites:

  1. Next.js (<14.1.1) is running in a self-hosted manner.

  2. The Next.js application makes use of Server Actions.

  3. The Server Action performs a redirect to a relative path which starts with a /.

CVSS Scores

version 3.1
Expand this section

Snyk

5.9 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None