Server-Side Request Forgery (SSRF) Affecting @sentry/nextjs package, versions >=7.26.0 <7.77.0

@sentry/nextjs is an Official Sentry SDK for Next.js

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) through the tunnelRoute option. A malicious actor can forge requests and responses from the application.

When using the tunnelRoute option, the Sentry Next.js SDK creates a Next.js rewrite that uses an unsanitized URL parameter to create the rewrite target. The target is intended to always point ingestion domain oXXX.ingest.sentry.io, however the unsanitized URL parameter could be used to escape this URL and point the rewrite to an arbitrary domain. The only limitation is that the rewrite target will always use the https protocol.

Note:

This vulnerability does not affect any of the other Sentry SDK’s. This issue only affects users who have Next.js SDK tunneling feature enabled.

1. Users can remove the tunnelRoute option from the Sentry SDK configuration (usually located in the next.config.js or next.config.mjs files).

2. If users are hosting the application on Vercel, the exploit is mitigated on an infrastructure level by blocking traffic with malicious payloads.

IoC:

Users can inspect the logs for requests matching the following regular expression: [?&]o=.*\/.*. If there are any requests that match this pattern, users can further narrow down the search by looking for strings in the o URL parameter that look like references to internal services or external servers (internal or external domains, IP addresses). Requests of this kind should be considered indication of being targeted by this vulnerability.

• GitHub Commit
• GitHub Commit
• GitHub PR
• GitHub PR
• Security Advisory