Next.js Server-Side Request Forgery in Server Actions
Description
Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a /. This vulnerability was fixed in Next.js 14.1.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nextnpm | >= 13.4.0, < 14.1.1 | 14.1.1 |
Affected products
1Patches
18f7a6ca7d21aImprove redirection handling (#62561)
2 files changed · +6 −1
packages/next/src/server/app-render/action-handler.ts+5 −1 modified@@ -179,9 +179,13 @@ async function createRedirectRenderResult( const forwardedHeaders = getForwardedHeaders(req, res) forwardedHeaders.set(RSC_HEADER, '1') - const host = originalHost.value const proto = staticGenerationStore.incrementalCache?.requestProtocol || 'https' + + // For standalone or the serverful mode, use the internal hostname directly + // other than the headers from the request. + const host = process.env.__NEXT_PRIVATE_HOST || originalHost.value + const fetchUrl = new URL( `${proto}://${host}${basePath}${parsedRedirectUrl.pathname}` )
packages/next/src/server/lib/start-server.ts+1 −0 modified@@ -246,6 +246,7 @@ export async function startServer( // expose the main port to render workers process.env.PORT = port + '' + process.env.__NEXT_PRIVATE_HOST = `${actualHostname}:${port}` // Only load env and config in dev to for logging purposes let envInfo: string[] | undefined
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fr5h-rqp8-mj6gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-34351ghsaADVISORY
- github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085ghsax_refsource_MISCWEB
- github.com/vercel/next.js/pull/62561ghsax_refsource_MISCWEB
- github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.