CVE-2023-46729
CRITICALSentry JavaScript SDK 7.26.0-7.76.9 - Server-Side Request Forgery via Next.js Tunnel Endpoint
Title source: llmDescription
sentry-javascript provides Sentry SDKs for JavaScript. An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This issue only affects users who have Next.js SDK tunneling feature enabled. The problem has been fixed in version 7.77.0.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-2rmr-xw8m-22q9
Patch x_refsource_misc
https://github.com/getsentry/sentry-javascript/pull/9415
Scores
CVSS v3
9.3
EPSS
0.0063
EPSS Percentile
45.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-918
Status
published
Products (2)
sentry/nextjs
7.26.0 - 7.77.0npm
sentry/sentry_software_development_kit
7.26.0 - 7.77.0
Published
Nov 10, 2023
Tracked Since
Feb 18, 2026