A critical Server-Side Request Forgery (SSRF) vulnerability has been uncovered in the popular NextJS framework, a widely adopted solution for building modern web applications.
The vulnerability, assigned CVE-2024-34351, was discovered by security researchers at Assetnote and has since been patched in NextJS version 14.1.1.
NextJS, known for its simplicity and powerful server-side rendering capabilities, has gained significant traction among developers in recent years. However, this newfound vulnerability highlights the importance of thorough security testing, even in modern frameworks that are often perceived as more secure than traditional content management systems (CMS).
The SSRF vulnerability stems from NextJS's built-in image optimization component, which allows developers to serve images from various domains. By whitelisting specific domains or even allowing all URLs, developers inadvertently expose their applications to blind SSRF attacks. Attackers can exploit this vulnerability by crafting requests to internal URLs, potentially gaining unauthorized access to sensitive information.
Furthermore, the researchers discovered that the vulnerability can be escalated under certain conditions. If the NextJS version is outdated or the "dangerouslyAllowSVG"
option is enabled, attackers can potentially achieve cross-site scripting (XSS) or leak the full content of XML responses via SSRF.
The vulnerability also extends to NextJS's server-side functionality, specifically its Server Actions feature. By forging a Host header pointing to an internal host, attackers can trick NextJS into fetching responses from that host instead of the intended application, leading to an SSRF vulnerability.
To mitigate the risk, developers are advised to update their NextJS installations to version 14.1.1 or later.
Additionally, it is crucial to carefully review and limit the domains whitelisted for image optimization and to ensure that the "dangerouslyAllowSVG"
option is disabled unless absolutely necessary.
Along with the SSRF flaw, the Next.js team has also fixed a high-severity vulnerability identified as CVE-2024-34350, which received a CVSS score of 7.5.
This security issue arises from Next.js' inconsistent handling of HTTP requests, where a maliciously crafted request is interpreted as both a single request and two separate requests concurrently.
The vulnerability specifically affects routes that employ the rewrites feature in Next.js, potentially causing desynchronized responses and opening the door to response queue poisoning.
The discovery of this HTTP request smuggling vulnerability in Next.js applications is attributed to security researcher elifoster-block, who brought the issue to light.