CVE-2024-34351 — Next.js Server Actions SSRF
Next.js Server Actions with `redirect()` could be manipulated to issue server-side requests to attacker-controlled hosts, enabling SSRF against internal infrastructure from the Next.js server.
- Next.js 13.4.0 through 14.1.0
What an attacker does
The attacker triggers a Server Action that calls `redirect()` with a user-controlled URL. Before the patch, Next.js's redirect handler re-issued the fetch internally instead of returning a client-side 302. Result: the Next.js server itself fetches the attacker-specified URL, including private cloud-metadata endpoints.
How to detect
Audit every `redirect()` call inside a `"use server"` function for user-supplied URL arguments.
How to fix
Upgrade to Next.js 14.1.1 or later.
Securie's SSRF specialist traces user-controlled URL inputs into Server Actions + maps them to network egress.