Critical Next.js Vulnerability Let Attackers Compromise Server Operations

Two new vulnerabilities have been discovered in Next.js, related to response queue poisoning and SSRF on certain Next.js versions.

These vulnerabilities have been assigned CVE-2024-34350 and CVE-2024-34351, and their severity has been given as 7.5 (High). 

The Response queue poisoning vulnerability exists due to inconsistent interpretation of crafted HTTP requests, which are meant to be treated as a single request and two separate requests.

Additionally, the SSRF vulnerability exists due to a vulnerable Next.js component that is present and enabled by default.

However, these vulnerabilities have been patched in the latest versions of Next.js, and security advisories have been published to address them. Moreover, a proof of concept for CVE-2024-34351 has also been published.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

CVE-2024-34350: Next.js Vulnerable To HTTP Request Smuggling

According to the reports shared with Cyber Security News, this vulnerability, when exploited by threat actors, can potentially lead to desynchronized responses from Next.js, which in turn leads to response queue poisoning. 

Response queue poisoning was first discovered by Portswigger research. It is a powerful form of request smuggling attack that can manipulate a front-end server and map wrong back-end responses. 

However, in order to exploit this vulnerability, the affected routes must be making use of the rewrites feature in Next.js. There have been no workarounds for this vulnerability, but this vulnerability has been patched in Next.js versions 13.5.1 and newer versions, including 14.x.

CVE-2024-34351 : Server-Side Request Forgery In Server Actions

This particular vulnerability exists due to a vulnerable API endpoint _next/image used to locate an image in the backend.

This image locating is done using a URL like the one below, along with an ordinary image tag. To provide an insight, Next.js has an option to resize images using _next/image component which is a built-in component and enabled by default.

https://example.com/_next/image?url=https://cdn.example.com/i/rabbit.png&w=256&q=75

However, when visiting the image-locating URL, NextJS requests//localhost/duck.jpg to resize it using a server-side image manipulation library before returning it to the user.

Moreover, this URL feature can also serve images from other domains using the remotePatterns functionality in next.config.js file. 

The Next.js source code reveals an interesting fact: if a server action is called and the response is a redirect, certain parameters are used in the redirect.

If the redirect starts with a /, the server will take the result of the redirect _server_side_ and return it to the client. This particular _server_side_ was found to be taking the host header from the client.

If the host header is pointed to an internal host, NextJS will fetch the response from the application itself which potentially leads to a SSRF vulnerability. This vulnerability has been patched in NextJS versions 14.1.1.

Furthermore, a complete proof of concept for this vulnerability has been published by Assetnote which provides detailed information about the exploitation, source code and other information.

It is recommended that NextJS users upgrade to the latest versions to prevent these vulnerabilities from being exploited.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide