An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors: * client-side vulnerabilities: XSS/CSRF in the context of the trusted domain; * interaction with internal network; * read cloud metadata endpoints (AWS, Azure, Google Cloud, etc.); * local/remote port scan.
This issue only affects users who have Next.js SDK tunneling feature enabled.
The problem has been fixed in sentry/nextjs@7.77.0
Disable tunneling by removing the tunnelRoute
option from Sentry Next.js SDK config — next.config.js
or next.config.mjs
.
{ "github_reviewed_at": "2023-11-09T22:03:44Z", "cwe_ids": [ "CWE-918" ], "nvd_published_at": "2023-11-10T01:15:07Z", "severity": "MODERATE", "github_reviewed": true }