Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2024-34351 PoC — Next.js Server-Side Request Forgery in Server Actions

Source
https://github.com/God4n/nextjs-CVE-2024-34351-_exploit
Associated Vulnerability
Title:Next.js Server-Side Request Forgery in Server Actions (CVE-2024-34351)
Description:Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.
Description
PoC for a full exploitation of NextJS SSRF (CVE-2024-34351)
Readme
# CVE-2024-34351 Exploit

- [CVE-2024-34351 PoC](https://github.com/azu/nextjs-CVE-2024-34351/)
- [Next.js Server-Side Request Forgery in Server Actions · CVE-2024-34351 · GitHub Advisory Database](https://github.com/advisories/GHSA-fr5h-rqp8-mj6g)
- [Digging for SSRF in NextJS apps](https://www.assetnote.io/resources/research/digging-for-ssrf-in-nextjs-apps)

## Summary

PoC for a full exploitation of NextJS SSRF. An attacker can get any website content from Next.js server using CVE-2024-34351 vulnerability.
This vulnerability is fixed in `next@14.1.1`.

## Usage

- Prepare a redirect server.
```
deno run --allow-net --allow-read attacker-server.ts
```
- Modify `Host` header to attacker server
- Modify `Origin` header to attacker server
- Finally you can change the resource placed in the `Origin` header to specify where to redirect to

![Example 1](examples/1.png)
![Example 2](examples/2.png)
File Snapshot

 [4.0K]  /data/pocs/9d46f643587c9c75efd9d322be307042ef3822ba
├── [1.1K]  attacker-server.py
├── [ 914]  attacker-server.ts
├── [4.0K]  examples
│   ├── [178K]  1.png
│   └── [152K]  2.png
└── [ 908]  README.md

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →