TL;DR
Please update the Sentry Next.js SDK to version 7.77.0 or higher immediately to mitigate a security vulnerability.
Summary
You are receiving this email because you are listed as the owner of the Sentry organization ledger. This organization appears to be using Sentry's Next.js SDK, which has a critical vulnerability.
We fixed this vulnerability in the Sentry Next.js SDK version 7.77.0. We have no evidence of exploitation of this vulnerability at this time.
Please update the Sentry Next.js SDK to version 7.77.0 or higher immediately. If upgrading the SDK is currently not possible for you, removing the "tunnelRoute" option from the Sentry SDK configuration (usually located in the next.config.js or next.config.mjs files) will mitigate the vulnerability.
If you are hosting your application on Vercel, the exploit has been mitigated at the infrastructure level. However, we still recommend updating your SDK version to 7.77.0 or higher.
More details, including a detailed summary; timeline; and investigation techniques, will be available with the public release of a security advisory, currently scheduled for Thursday, November 9th, 2023 at 12:00 PM Pacific Time. This advisory will be published on the public GitHub for the Sentry Next.js SDK, available at https://github.com/getsentry/sentry-javascript/security.
We are not releasing more details at this time to give you time to upgrade to the new SDK before the vulnerability becomes public.
Questions
If you have questions prior to the release of the public advisory, please contact our support team at support@sentry.io. Please include "INC-553" in the subject line to properly route your request.
No changes for our implementation
β Context
Linked resource(s): []
πΈ Demo
π Expectations to reach
Pull Requests must pass the CI and be internally validated in order to be merged.
π Description
cf :
Summary You are receiving this email because you are listed as the owner of the Sentry organization ledger. This organization appears to be using Sentry's Next.js SDK, which has a critical vulnerability.
We fixed this vulnerability in the Sentry Next.js SDK version 7.77.0. We have no evidence of exploitation of this vulnerability at this time.
Please update the Sentry Next.js SDK to version 7.77.0 or higher immediately. If upgrading the SDK is currently not possible for you, removing the "tunnelRoute" option from the Sentry SDK configuration (usually located in the next.config.js or next.config.mjs files) will mitigate the vulnerability.
If you are hosting your application on Vercel, the exploit has been mitigated at the infrastructure level. However, we still recommend updating your SDK version to 7.77.0 or higher.
More details, including a detailed summary; timeline; and investigation techniques, will be available with the public release of a security advisory, currently scheduled for Thursday, November 9th, 2023 at 12:00 PM Pacific Time. This advisory will be published on the public GitHub for the Sentry Next.js SDK, available at https://github.com/getsentry/sentry-javascript/security.
We are not releasing more details at this time to give you time to upgrade to the new SDK before the vulnerability becomes public.
Questions If you have questions prior to the release of the public advisory, please contact our support team at support@sentry.io. Please include "INC-553" in the subject line to properly route your request.
No changes for our implementation
β Context
πΈ Demo
π Expectations to reach
Pull Requests must pass the CI and be internally validated in order to be merged.