Vulnerability Report

CVE-2024-34351

Title: Vercel Next.Js Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF)

Proof Of Concept

PoC Available for CVE-2024-34351

CWE Category CWE-918

Published Date May 14, 2024

Modified Date Sep 10, 2025

Exploit Status Available

Score 7.5 CVSS v3.1

Exploit Probability (EPSS)

92.75%

Vulnerability Summary

CVE-2024-34351: Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.

Impacted Vendors

zeit 1

vercel 1

kanopi 1

Reference Links

https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085 https://github.com/vercel/next.js/pull/62561 https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085 https://github.com/vercel/next.js/pull/62561 https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2024-34351 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/Voorivex/CVE-2024-34351

View Code

GitHub https://github.com/God4n/nextjs-CVE-2024-34351-_exploit

View Code

GitHub https://github.com/avergnaud/Next.js_exploit_CVE-2024-34351

View Code

September 10, 2025 MODIFIED

Vulnerability data or affected products updated.

May 14, 2024 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Stack

No specific products linked.