GoogleOSV:GHSA-2RMR-XW8M-22Q9Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint
9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
20.8%
Impact
An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors:
- client-side vulnerabilities: XSS/CSRF in the context of the trusted domain;
- interaction with internal network;
- read cloud metadata endpoints (AWS, Azure, Google Cloud, etc.);
- local/remote port scan.
This issue only affects users who have Next.js SDK tunneling feature enabled.
Patches
The problem has been fixed in sentry/[email protected]
Workarounds
Disable tunneling by removing the tunnelRoute option from Sentry Next.js SDK config — next.config.js or next.config.mjs.
References
Credits
| CPE | Name | Operator | Version |
|---|---|---|---|
| @sentry/nextjs | ge | 7.26.0 | |
| @sentry/nextjs | lt | 7.77.0 |
References
blog.sentry.io/next-js-sdk-security-advisory-cve-2023-46729
docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/#configure-tunneling-to-avoid-ad-blockers
github.com/getsentry/sentry-javascript
github.com/getsentry/sentry-javascript/commit/ddbda3c02c35aba8c5235e0cf07fc5bf656f81be
github.com/getsentry/sentry-javascript/pull/9415
github.com/getsentry/sentry-javascript/security/advisories/GHSA-2rmr-xw8m-22q9
nvd.nist.gov/vuln/detail/CVE-2023-46729
www.npmjs.com/package/@sentry/nextjs/v/7.77.0
Related
9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
20.8%