Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0ycm1yLXh3OG0tMjJxOc4AA3B6

Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint

Impact

An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors:

• client-side vulnerabilities: XSS/CSRF in the context of the trusted domain;
• interaction with internal network;
• read cloud metadata endpoints (AWS, Azure, Google Cloud, etc.);
• local/remote port scan.

This issue only affects users who have Next.js SDK tunneling feature enabled.

Patches

The problem has been fixed in sentry/[email protected]

Workarounds

Disable tunneling by removing the tunnelRoute option from Sentry Next.js SDK config — next.config.js or next.config.mjs.

References

• Sentry Next.js tunneling feature
• The fix
• More Information

Credits

• Praveen Kumar

Permalink: https://github.com/advisories/GHSA-2rmr-xw8m-22q9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycm1yLXh3OG0tMjJxOc4AA3B6
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 19 days ago
Updated: 11 days ago

CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-2rmr-xw8m-22q9, CVE-2023-46729
References:

• https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-2rmr-xw8m-22q9
• https://github.com/getsentry/sentry-javascript/pull/9415
• https://github.com/getsentry/sentry-javascript/commit/ddbda3c02c35aba8c5235e0cf07fc5bf656f81be
• https://blog.sentry.io/next-js-sdk-security-advisory-cve-2023-46729/
• https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/#configure-tunneling-to-avoid-ad-blockers
• https://www.npmjs.com/package/@sentry/nextjs/v/7.77.0
• https://nvd.nist.gov/vuln/detail/CVE-2023-46729
• https://github.com/advisories/GHSA-2rmr-xw8m-22q9

Affected Packages