Server-Side Request Forgery (SSRF) Affecting @sentry/nextjs package, versions >=7.26.0 <7.77.0


Severity

Recommended
0.0
critical
0
10

    Threat Intelligence

    EPSS
    0.05% (21st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-SENTRYNEXTJS-6054452
  • published 10 Nov 2023
  • disclosed 10 Nov 2023
  • credit Alek Amrani

How to fix?

Upgrade @sentry/nextjs to version 7.77.0 or higher.

Overview

@sentry/nextjs is an Official Sentry SDK for Next.js

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) through the tunnelRoute option. A malicious actor can forge requests and responses from the application.

When using the tunnelRoute option, the Sentry Next.js SDK creates a Next.js rewrite that uses an unsanitized URL parameter to create the rewrite target. The target is intended to always point ingestion domain oXXX.ingest.sentry.io, however the unsanitized URL parameter could be used to escape this URL and point the rewrite to an arbitrary domain. The only limitation is that the rewrite target will always use the https protocol.

Note:

This vulnerability does not affect any of the other Sentry SDK’s. This issue only affects users who have Next.js SDK tunneling feature enabled.

Workaround:

  1. Users can remove the tunnelRoute option from the Sentry SDK configuration (usually located in the next.config.js or next.config.mjs files).

  2. If users are hosting the application on Vercel, the exploit is mitigated on an infrastructure level by blocking traffic with malicious payloads.

IoC:

Users can inspect the logs for requests matching the following regular expression: [?&]o=.*\/.*. If there are any requests that match this pattern, users can further narrow down the search by looking for strings in the o URL parameter that look like references to internal services or external servers (internal or external domains, IP addresses). Requests of this kind should be considered indication of being targeted by this vulnerability.

CVSS Scores

version 3.1
Expand this section

Snyk

9.3 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    None
Expand this section

NVD

6.1 medium