CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
46.7%
next is vulnerable to Server-Side Request Forgery (SSRF). The vulnerability is due to improper handling of the Host header within Server Actions. This allows an attacker to make unauthorized requests that appear to originate from the Next.js application server, allowing access to internal network resources. This vulnerability is only exploitable if the Server Action performs a redirect to a relative path which starts with a /
.