CVE-2024-34351: Vercel Next.js SSRF Vulnerability

CVE-2024-34351 Overview

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions that allows attackers to make requests appearing to originate from the Next.js application server itself. The vulnerability is triggered when an attacker modifies the Host header under specific conditions, potentially enabling unauthorized access to internal resources and services that trust requests from the application server.

Critical Impact
Attackers can abuse the SSRF vulnerability to pivot through the Next.js server, accessing internal services, cloud metadata endpoints, and other network resources that would otherwise be inaccessible from external networks.

Affected Products

Vercel Next.js versions prior to 14.1.1
Self-hosted Next.js deployments using Server Actions
Applications where Server Actions perform redirects to relative paths starting with /

Discovery Timeline

May 14, 2024 - CVE-2024-34351 published to NVD
September 10, 2025 - Last updated in NVD database

Technical Details for CVE-2024-34351

Vulnerability Analysis

This SSRF vulnerability exists within the Next.js Server Actions implementation. The flaw allows an attacker to craft requests that manipulate how the server processes redirects, enabling the server to make outbound requests to arbitrary destinations on behalf of the attacker. The vulnerability requires three specific conditions to be exploitable: the Next.js application must be self-hosted (not deployed on Vercel's managed infrastructure), the application must utilize Server Actions functionality, and a Server Action must perform a redirect to a relative path beginning with /.

When these conditions align, an attacker who controls the Host header can cause the Next.js server to issue requests to attacker-controlled destinations. This is particularly dangerous in cloud environments where metadata endpoints (such as 169.254.169.254 on AWS) can be accessed to retrieve sensitive credentials and configuration data.

Root Cause

The root cause stems from improper validation of the Host header when processing Server Action redirects. The framework incorrectly uses the attacker-supplied Host header to construct the full URL for redirect requests. When a Server Action returns a redirect to a relative path (e.g., /callback), the application constructs the absolute URL using the Host header value, allowing attackers to redirect requests to arbitrary external hosts instead of the intended internal redirect destination.

Attack Vector

The attack is network-accessible and requires no authentication or user interaction. An attacker sends a crafted HTTP request to a Server Action endpoint with a malicious Host header pointing to an attacker-controlled server or internal resource. When the Server Action processes a redirect to a relative path, the Next.js server makes an HTTP request to the attacker-specified destination, potentially leaking sensitive response data or enabling further attacks against internal infrastructure.

The attack flow involves sending a request to a Next.js Server Action with a modified Host header, the Server Action returning a redirect to a relative path, the Next.js server constructing the redirect URL using the malicious Host value, and finally the server making an outbound request to the attacker-specified destination.

Detection Methods for CVE-2024-34351

Indicators of Compromise

Unusual outbound HTTP requests from Next.js application servers to internal IP ranges or cloud metadata endpoints
HTTP request logs showing mismatched Host headers that don't correspond to legitimate application domains
Unexpected traffic to 169.254.169.254 or other cloud provider metadata services from application servers
Server Action endpoint access with anomalous Host header values in access logs

Detection Strategies

Implement web application firewall (WAF) rules to detect and block requests with Host headers that don't match expected application domains
Monitor network traffic from Next.js servers for connections to internal IP ranges, localhost, or cloud metadata endpoints
Enable detailed logging on Server Action endpoints and analyze for anomalous Host header patterns
Deploy network segmentation monitoring to detect lateral movement attempts originating from web application servers

Monitoring Recommendations

Configure alerting for any outbound connections from Next.js servers to RFC 1918 private IP ranges or link-local addresses
Implement egress filtering and monitoring on application servers to detect SSRF exploitation attempts
Review application logs for Server Action invocations with unexpected redirect behaviors
Monitor for increased traffic to cloud metadata endpoints from application tier servers

How to Mitigate CVE-2024-34351

Immediate Actions Required

Upgrade Next.js to version 14.1.1 or later immediately for all self-hosted deployments
Review Server Action implementations to identify any that perform redirects to relative paths
Implement Host header validation at the reverse proxy or load balancer level to reject requests with unexpected values
Apply network-level controls to restrict outbound connections from application servers to only necessary destinations

Patch Information

Vercel has released a fix in Next.js version 14.1.1. The patch addresses the improper Host header handling in Server Actions redirect processing. Organizations should upgrade to this version or later as soon as possible. The fix is available in the GitHub commit 8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085 and the associated pull request #62561. Additional details are available in the GitHub Security Advisory GHSA-fr5h-rqp8-mj6g.

Workarounds

If immediate patching is not possible, implement strict Host header validation at the reverse proxy layer to only allow legitimate domain values
Configure network-level egress filtering to prevent the application server from making outbound requests to internal networks or metadata endpoints
Consider temporarily disabling Server Actions that perform redirects until the patch can be applied
Deploy a Web Application Firewall (WAF) with rules to detect and block SSRF patterns targeting cloud metadata endpoints

bash

# Example nginx configuration to validate Host header
# Add to server block before location directives
if ($host !~* ^(yourdomain\.com|www\.yourdomain\.com)$) {
    return 444;
}

# Block requests to cloud metadata endpoints at the proxy level
location / {
    proxy_pass http://nextjs_backend;
    proxy_set_header Host $host;
    # Additional security headers
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

CVE-2024-34351 Overview

Critical Impact
Attackers can abuse the SSRF vulnerability to pivot through the Next.js server, accessing internal services, cloud metadata endpoints, and other network resources that would otherwise be inaccessible from external networks.

Affected Products

Vercel Next.js versions prior to 14.1.1
Self-hosted Next.js deployments using Server Actions
Applications where Server Actions perform redirects to relative paths starting with /

Discovery Timeline

May 14, 2024 - CVE-2024-34351 published to NVD
September 10, 2025 - Last updated in NVD database

Technical Details for CVE-2024-34351

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-34351

Indicators of Compromise

Unusual outbound HTTP requests from Next.js application servers to internal IP ranges or cloud metadata endpoints
HTTP request logs showing mismatched Host headers that don't correspond to legitimate application domains
Unexpected traffic to 169.254.169.254 or other cloud provider metadata services from application servers
Server Action endpoint access with anomalous Host header values in access logs

Detection Strategies

Implement web application firewall (WAF) rules to detect and block requests with Host headers that don't match expected application domains
Monitor network traffic from Next.js servers for connections to internal IP ranges, localhost, or cloud metadata endpoints
Enable detailed logging on Server Action endpoints and analyze for anomalous Host header patterns
Deploy network segmentation monitoring to detect lateral movement attempts originating from web application servers

Monitoring Recommendations

Configure alerting for any outbound connections from Next.js servers to RFC 1918 private IP ranges or link-local addresses
Implement egress filtering and monitoring on application servers to detect SSRF exploitation attempts
Review application logs for Server Action invocations with unexpected redirect behaviors
Monitor for increased traffic to cloud metadata endpoints from application tier servers

How to Mitigate CVE-2024-34351

Immediate Actions Required

Upgrade Next.js to version 14.1.1 or later immediately for all self-hosted deployments
Review Server Action implementations to identify any that perform redirects to relative paths
Implement Host header validation at the reverse proxy or load balancer level to reject requests with unexpected values
Apply network-level controls to restrict outbound connections from application servers to only necessary destinations

Patch Information

Workarounds

If immediate patching is not possible, implement strict Host header validation at the reverse proxy layer to only allow legitimate domain values
Configure network-level egress filtering to prevent the application server from making outbound requests to internal networks or metadata endpoints
Consider temporarily disabling Server Actions that perform redirects until the patch can be applied
Deploy a Web Application Firewall (WAF) with rules to detect and block SSRF patterns targeting cloud metadata endpoints

bash

# Example nginx configuration to validate Host header
# Add to server block before location directives
if ($host !~* ^(yourdomain\.com|www\.yourdomain\.com)$) {
    return 444;
}

# Block requests to cloud metadata endpoints at the proxy level
location / {
    proxy_pass http://nextjs_backend;
    proxy_set_header Host $host;
    # Additional security headers
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

CVE-2024-34351: Vercel Next.js SSRF Vulnerability

CVE-2024-34351 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-34351

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-34351

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-34351

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2024-34351: Vercel Next.js SSRF Vulnerability

CVE-2024-34351 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-34351

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-34351

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-34351

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform