A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.
Prerequisites
Next.js (<14.1.1) is running in a self-hosted* manner.
The Next.js application makes use of Server Actions.
The Server Action performs a redirect to a relative path which starts with a /.
* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.
Patches
This vulnerability was patched in #62561 and fixed in Next.js 14.1.1.
Workarounds
There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.
Credit
Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:
Adam Kues - Assetnote
Shubham Shah - Assetnote
Release Notes
vercel/next.js (next)
### [`v14.1.1`](https://togithub.com/vercel/next.js/releases/tag/v14.1.1)
[Compare Source](https://togithub.com/vercel/next.js/compare/v14.1.0...v14.1.1)
*Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary*
##### Core Changes
- Should not warn metadataBase missing if only absolute urls are present: [https://github.com/vercel/next.js/pull/61898](https://togithub.com/vercel/next.js/pull/61898)
- Fix trailing slash for canonical url: [https://github.com/vercel/next.js/pull/62109](https://togithub.com/vercel/next.js/pull/62109)
- Fix metadata json manifest convention: [https://github.com/vercel/next.js/pull/62615](https://togithub.com/vercel/next.js/pull/62615)
- Improve the Server Actions SWC transform: [https://github.com/vercel/next.js/pull/61001](https://togithub.com/vercel/next.js/pull/61001)
- Fix Server Reference being double registered: [https://github.com/vercel/next.js/pull/61244](https://togithub.com/vercel/next.js/pull/61244)
- Improve the Server Actions SWC transform (part 2): [https://github.com/vercel/next.js/pull/62052](https://togithub.com/vercel/next.js/pull/62052)
- Fix module-level Server Action creation with closure-closed values: [https://github.com/vercel/next.js/pull/62437](https://togithub.com/vercel/next.js/pull/62437)
- Fix draft mode invariant: [https://github.com/vercel/next.js/pull/62121](https://togithub.com/vercel/next.js/pull/62121)
- fix: babel usage with next/image: [https://github.com/vercel/next.js/pull/61835](https://togithub.com/vercel/next.js/pull/61835)
- Fix next/server api alias for ESM pkg: [https://github.com/vercel/next.js/pull/61721](https://togithub.com/vercel/next.js/pull/61721)
- Replace image optimizer IPC call with request handler: [https://github.com/vercel/next.js/pull/61471](https://togithub.com/vercel/next.js/pull/61471)
- chore: refactor image optimization to separate external/internal urls: [https://github.com/vercel/next.js/pull/61172](https://togithub.com/vercel/next.js/pull/61172)
- fix(image): warn when animated image is missing unoptimized prop: [https://github.com/vercel/next.js/pull/61045](https://togithub.com/vercel/next.js/pull/61045)
- fix(build-output): show stack during CSR bailout warning: [https://github.com/vercel/next.js/pull/62594](https://togithub.com/vercel/next.js/pull/62594)
- Fix extra swc optimizer applied to node_modules in browser layer: [https://github.com/vercel/next.js/pull/62051](https://togithub.com/vercel/next.js/pull/62051)
- fix(next-swc): Detect exports.foo from cjs_finder: [https://github.com/vercel/next.js/pull/61795](https://togithub.com/vercel/next.js/pull/61795)
- Fix attempted import error for react: [https://github.com/vercel/next.js/pull/61791](https://togithub.com/vercel/next.js/pull/61791)
- Add stack trace to client rendering bailout error: [https://github.com/vercel/next.js/pull/61200](https://togithub.com/vercel/next.js/pull/61200)
- fix router crash on revalidate + popstate: [https://github.com/vercel/next.js/pull/62383](https://togithub.com/vercel/next.js/pull/62383)
- fix loading issue when navigating to page with async metadata: [https://github.com/vercel/next.js/pull/61687](https://togithub.com/vercel/next.js/pull/61687)
- revert changes to process default routes at build: [https://github.com/vercel/next.js/pull/61241](https://togithub.com/vercel/next.js/pull/61241)
- fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: [https://github.com/vercel/next.js/pull/60776](https://togithub.com/vercel/next.js/pull/60776)
- Improve redirection handling: [https://github.com/vercel/next.js/pull/62561](https://togithub.com/vercel/next.js/pull/62561)
- Simplify node/edge server chunking some: [https://github.com/vercel/next.js/pull/62424](https://togithub.com/vercel/next.js/pull/62424)
##### Credits
Huge thanks to [@huozhi](https://togithub.com/huozhi), [@shuding](https://togithub.com/shuding), [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood), [@styfle](https://togithub.com/styfle), [@ijjk](https://togithub.com/ijjk), [@ztanner](https://togithub.com/ztanner), [@balazsorban44](https://togithub.com/balazsorban44), [@kdy1](https://togithub.com/kdy1), and [@williamli](https://togithub.com/williamli) for helping!
### [`v14.1.0`](https://togithub.com/vercel/next.js/compare/v14.0.4...v14.1.0)
[Compare Source](https://togithub.com/vercel/next.js/compare/v14.0.4...v14.1.0)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
14.0.4
->14.1.1
GitHub Vulnerability Alerts
CVE-2024-34351
Impact
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the
Host
header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.Prerequisites
<14.1.1
) is running in a self-hosted* manner./
.* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.
Patches
This vulnerability was patched in #62561 and fixed in Next.js
14.1.1
.Workarounds
There are no official workarounds for this vulnerability. We recommend upgrading to Next.js
14.1.1
.Credit
Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:
Adam Kues - Assetnote Shubham Shah - Assetnote
Release Notes
vercel/next.js (next)
### [`v14.1.1`](https://togithub.com/vercel/next.js/releases/tag/v14.1.1) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.1.0...v14.1.1) *Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary* ##### Core Changes - Should not warn metadataBase missing if only absolute urls are present: [https://github.com/vercel/next.js/pull/61898](https://togithub.com/vercel/next.js/pull/61898) - Fix trailing slash for canonical url: [https://github.com/vercel/next.js/pull/62109](https://togithub.com/vercel/next.js/pull/62109) - Fix metadata json manifest convention: [https://github.com/vercel/next.js/pull/62615](https://togithub.com/vercel/next.js/pull/62615) - Improve the Server Actions SWC transform: [https://github.com/vercel/next.js/pull/61001](https://togithub.com/vercel/next.js/pull/61001) - Fix Server Reference being double registered: [https://github.com/vercel/next.js/pull/61244](https://togithub.com/vercel/next.js/pull/61244) - Improve the Server Actions SWC transform (part 2): [https://github.com/vercel/next.js/pull/62052](https://togithub.com/vercel/next.js/pull/62052) - Fix module-level Server Action creation with closure-closed values: [https://github.com/vercel/next.js/pull/62437](https://togithub.com/vercel/next.js/pull/62437) - Fix draft mode invariant: [https://github.com/vercel/next.js/pull/62121](https://togithub.com/vercel/next.js/pull/62121) - fix: babel usage with next/image: [https://github.com/vercel/next.js/pull/61835](https://togithub.com/vercel/next.js/pull/61835) - Fix next/server api alias for ESM pkg: [https://github.com/vercel/next.js/pull/61721](https://togithub.com/vercel/next.js/pull/61721) - Replace image optimizer IPC call with request handler: [https://github.com/vercel/next.js/pull/61471](https://togithub.com/vercel/next.js/pull/61471) - chore: refactor image optimization to separate external/internal urls: [https://github.com/vercel/next.js/pull/61172](https://togithub.com/vercel/next.js/pull/61172) - fix(image): warn when animated image is missing unoptimized prop: [https://github.com/vercel/next.js/pull/61045](https://togithub.com/vercel/next.js/pull/61045) - fix(build-output): show stack during CSR bailout warning: [https://github.com/vercel/next.js/pull/62594](https://togithub.com/vercel/next.js/pull/62594) - Fix extra swc optimizer applied to node_modules in browser layer: [https://github.com/vercel/next.js/pull/62051](https://togithub.com/vercel/next.js/pull/62051) - fix(next-swc): Detect exports.foo from cjs_finder: [https://github.com/vercel/next.js/pull/61795](https://togithub.com/vercel/next.js/pull/61795) - Fix attempted import error for react: [https://github.com/vercel/next.js/pull/61791](https://togithub.com/vercel/next.js/pull/61791) - Add stack trace to client rendering bailout error: [https://github.com/vercel/next.js/pull/61200](https://togithub.com/vercel/next.js/pull/61200) - fix router crash on revalidate + popstate: [https://github.com/vercel/next.js/pull/62383](https://togithub.com/vercel/next.js/pull/62383) - fix loading issue when navigating to page with async metadata: [https://github.com/vercel/next.js/pull/61687](https://togithub.com/vercel/next.js/pull/61687) - revert changes to process default routes at build: [https://github.com/vercel/next.js/pull/61241](https://togithub.com/vercel/next.js/pull/61241) - fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: [https://github.com/vercel/next.js/pull/60776](https://togithub.com/vercel/next.js/pull/60776) - Improve redirection handling: [https://github.com/vercel/next.js/pull/62561](https://togithub.com/vercel/next.js/pull/62561) - Simplify node/edge server chunking some: [https://github.com/vercel/next.js/pull/62424](https://togithub.com/vercel/next.js/pull/62424) ##### Credits Huge thanks to [@huozhi](https://togithub.com/huozhi), [@shuding](https://togithub.com/shuding), [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood), [@styfle](https://togithub.com/styfle), [@ijjk](https://togithub.com/ijjk), [@ztanner](https://togithub.com/ztanner), [@balazsorban44](https://togithub.com/balazsorban44), [@kdy1](https://togithub.com/kdy1), and [@williamli](https://togithub.com/williamli) for helping! ### [`v14.1.0`](https://togithub.com/vercel/next.js/compare/v14.0.4...v14.1.0) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.0.4...v14.1.0)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.