Next.js Remote Patterns Server-Side Request Forgery

medium Web App Scanning Plugin ID 114430

Language:

Synopsis

Next.js Remote Patterns Server-Side Request Forgery

Description

Next.js framework embeds an image optimization component which is enabled by default and allows dynamic resizing when requested. This feature leverages the 'next.config.js' configuration file to ensure that the target host being requested is allowed. When misconfigured, a remote and unauthenticated attacker can achieve, by default, a blind server-side request forgery and performs arbitrary requests from the target Next.js instance. Depending on the Next.js version, this can be escalated into a Cross-Site Scripting attack or leak the content of XML responses.

Solution

Ensure that the 'remotePatterns' configured in 'next.config.js' does not allow requests to any host.

See Also

https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns

https://www.assetnote.io/resources/research/digging-for-ssrf-in-nextjs-apps

Plugin Details

Severity: Medium

ID: 114430

Type: remote

Family: Component Vulnerability

Published: 9/17/2024

Updated: 9/17/2024

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.0

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS Score Source: Tenable

Vulnerability Information

CPE: cpe:2.3:a:zeit:next.js:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CWE: 918

OWASP: 2010-A6, 2013-A5, 2013-A9, 2017-A6, 2017-A9, 2021-A10, 2021-A6

WASC: Application Misconfiguration

DISA STIG: APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b

OWASP API: 2019-API7, 2023-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.2.6

PCI-DSS: 3.2-6.2, 3.2-6.5.9