====================================================================== CERT-Renater Note d'Information No. 2024/VULN233 _____________________________________________________________________ DATE : 13/05/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Next.js versions prior to 14.1.1. ===================================================================== https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf _____________________________________________________________________ Server-Side Request Forgery in Server Actions High jackwilson323 published GHSA-fr5h-rqp8-mj6g May 9, 2024 Package next (npm) Affected versions >=13.4 <14.1.1 Patched versions 14.1.1 Description Impact A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. Prerequisites Next.js (<14.1.1) is running in a self-hosted* manner. The Next.js application makes use of Server Actions. The Server Action performs a redirect to a relative path which starts with a /. * Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner. Patches This vulnerability was patched in #62561 and fixed in Next.js 14.1.1. Workarounds There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1. Credit Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to: Adam Kues - Assetnote Shubham Shah - Assetnote Severity High 7.5/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE ID CVE-2024-34351 Weaknesses CWE-918 _____________________________________________________________________ HTTP Request Smuggling High jackwilson323 published GHSA-77r5-gw3j-2mpf May 9, 2024 Package next (npm) Affected versions >=13.4 <13.5.1 Patched versions >=13.5.1 Description Impact Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js. Patches The vulnerability is resolved in Next.js 13.5.1 and newer. This includes Next.js 14.x. Workarounds There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version. References https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning Severity High 7.5/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity High Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE ID CVE-2024-34350 Weaknesses CWE-444 Credits @elifoster-block elifoster-block Finder ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================