CVE-2024-34351

Name: CVE-2024-34351
Creator: NVD / NIST
Published: 2024-05-14T15:38:42.563+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 5.45%

Last modified Jun 17, 2026

CVE-2024-34351 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. EPSS estimates a 5.45% chance of exploitation in the next 30 days.

Description

Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

5.45%

91.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-918

Affected Software

Vendor	Product	Versions
Vercel	Next.Js	>= 13.4.0, < 14.1.1

References

https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085Patch
https://github.com/vercel/next.js/pull/62561Issue Tracking, Patch
https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6gVendor Advisory
https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085Patch
https://github.com/vercel/next.js/pull/62561Issue Tracking, Patch
https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6gVendor Advisory

Timeline

Published: May 14, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-34351?

How severe is CVE-2024-34351?

CVE-2024-34351 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 5.45% probability of exploitation in the next 30 days.

How do I fix CVE-2024-34351?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-34351?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST