Server-Side Request Forgery (SSRF) Affecting @sentry/nextjs package, versions >=7.26.0 <7.77.0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-Side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-SENTRYNEXTJS-6054452
- published10 Nov 2023
- disclosed10 Nov 2023
- creditAlek Amrani
Introduced: 10 Nov 2023
CVE-2023-46729 (opens in a new tab)How to fix?
Upgrade @sentry/nextjs to version 7.77.0 or higher.
Overview
@sentry/nextjs is an Official Sentry SDK for Next.js
Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) through the tunnelRoute option. A malicious actor can forge requests and responses from the application.
When using the tunnelRoute option, the Sentry Next.js SDK creates a Next.js rewrite that uses an unsanitized URL parameter to create the rewrite target. The target is intended to always point ingestion domain oXXX.ingest.sentry.io, however the unsanitized URL parameter could be used to escape this URL and point the rewrite to an arbitrary domain. The only limitation is that the rewrite target will always use the https protocol.
Note:
This vulnerability does not affect any of the other Sentry SDK’s. This issue only affects users who have Next.js SDK tunneling feature enabled.
Workaround:
Users can remove the
tunnelRouteoption from the Sentry SDK configuration (usually located in thenext.config.jsornext.config.mjsfiles).If users are hosting the application on Vercel, the exploit is mitigated on an infrastructure level by blocking traffic with malicious payloads.
IoC:
Users can inspect the logs for requests matching the following regular expression: [?&]o=.*\/.*. If there are any requests that match this pattern, users can further narrow down the search by looking for strings in the o URL parameter that look like references to internal services or external servers (internal or external domains, IP addresses). Requests of this kind should be considered indication of being targeted by this vulnerability.