CVE-2024-34351

HIGH NUCLEI

Next.js 13.4.0-14.1.1 - Server-Side Request Forgery via Server Actions Redirect

Title source: manual

Exploitation Summary

EIP tracks 5 public exploits for CVE-2024-34351. PoCs published by iSee857, Voorivex, God4n. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains functional exploit code for multiple CVEs, including CVE-2026-22812, which demonstrates command execution via a session-based API endpoint. The code includes proper error handling, threading for batch scanning, and JSON payload construction.

Description

Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.

Exploits (5)

github WORKING POC 40 stars

by iSee857 · pythonpoc

https://github.com/iSee857/CVE-PoC/tree/main/NextJs_SSRF(CVE-2024-34351).py

View Code ZIP pw:eip

The repository contains functional exploit code for multiple CVEs, including CVE-2026-22812, which demonstrates command execution via a session-based API endpoint. The code includes proper error handling, threading for batch scanning, and JSON payload construction.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenCode (CVE-2026-22812), Altenergy (CVE-2024-11305), and others

No auth needed

Prerequisites: network access to target · target service running

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec STUB 11 stars

by Voorivex · poc

https://github.com/Voorivex/CVE-2024-34351

View Code ZIP pw:eip

The repository contains minimal setup files for a Next.js project but lacks any exploit code or technical details about CVE-2024-34351. It appears to be a placeholder or test-bed without functional PoC.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Next.js 14.1.0

No auth needed

Prerequisites: Next.js 14.1.0 environment

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 8 stars

by God4n · poc

https://github.com/God4n/nextjs-CVE-2024-34351-_exploit

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2024-34351, a Server-Side Request Forgery (SSRF) vulnerability in Next.js. The exploit involves setting up a redirect server that manipulates headers to trigger the SSRF, allowing an attacker to fetch arbitrary content from the Next.js server.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Next.js versions prior to 14.1.1

No auth needed

Prerequisites: A vulnerable Next.js server · Ability to send crafted HTTP requests with modified headers

MITRE ATT&CK

T1083 - File and Directory Discovery T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by avergnaud · poc

https://github.com/avergnaud/Next.js_exploit_CVE-2024-34351

View Code ZIP pw:eip

This repository contains functional exploit code demonstrating CVE-2024-34351 in Next.js, showcasing client-side rendering (CSR) and server-side rendering (SSR) vulnerabilities. The PoC includes multiple test cases for data loading and routing, illustrating the vulnerability's impact.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Next.js (version not specified)

No auth needed

Prerequisites: Access to a vulnerable Next.js application

MITRE ATT&CK

T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by Jinlei-Chen-UWO · poc

https://github.com/Jinlei-Chen-UWO/cve-2024-34351-demo

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2024-34351, an SSRF vulnerability in Next.js Server Actions. It includes a vulnerable Next.js application, an attacker-controlled server to demonstrate the SSRF, and detailed exploitation steps.

Classification

Working Poc 100%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Next.js < 14.1.1

No auth needed

Prerequisites: Node.js 18+ · npm · Burp Suite for request interception · Python for attacker server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Apr 13, 2026 Full analysis →

Nuclei Templates (1)

Next.js - Server Side Request Forgery (SSRF)

HIGHby righettod

Shodan: http.html:"/_next/static" || cpe:"cpe:2.3:a:zeit:next.js"

FOFA: body="/_next/static"

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g

Issue Tracking, Patch x_refsource_misc

https://github.com/vercel/next.js/pull/62561

Patch x_refsource_misc

https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.9275

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

npm/next 13.4.0 - 14.1.1npm

vercel/next.js 13.4.0 - 14.1.1

Published May 14, 2024

Tracked Since Feb 18, 2026