CVE-2024-34351

EPSS 92.32%
Veröffentlicht 14.05.2024 15:38:42
Zuletzt bearbeitet 10.09.2025 15:43:33
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vercel ≫ Next.Js SwPlatformnode.js Version >= 13.4.0 < 14.1.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	92.32%	0.997

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085

Patch

https://github.com/vercel/next.js/pull/62561

Patch

Issue Tracking

https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-34351

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-34351

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-34351

EUVD