VDB

CVE-2024-34351

CVE-2024-34351 PUBLISHED CVSS 7.5 HIGH

Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.

EPSS 92.75% · 99.8th percentile

Risk Scores

CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
92.75%
99.8th percentile

Affected Products

VendorProductVersions
vercelnext.js13.4.0, 13.4.0, *
vercelnext.js13.4.0
npmnext13.4.0, 13.4.0

Timeline

  • Jan 21, 1970 Security Advisory
  • May 9, 2024 CVE Published
  • May 10, 2024 EPSS Score
  • Oct 4, 2024 Coalition ESS Score
  • Oct 31, 2024 Coalition ESS Score
  • Mar 17, 2025 EPSS Score
  • Mar 23, 2025 EPSS Score
  • Mar 24, 2025 EPSS Score
  • Mar 27, 2025 EPSS Score
  • Mar 28, 2025 EPSS Score
  • Mar 29, 2025 EPSS Score
  • Mar 30, 2025 EPSS Score

References

…and 4 more

Open in Interactive Console →
$ Console Community · 100/wk Open console ›