Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0ycm1yLXh3OG0tMjJxOc4AA3B6

Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint

Impact

An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors:

client-side vulnerabilities: XSS/CSRF in the context of the trusted domain;
interaction with internal network;
read cloud metadata endpoints (AWS, Azure, Google Cloud, etc.);
local/remote port scan.

This issue only affects users who have Next.js SDK tunneling feature enabled.

Patches

The problem has been fixed in sentry/[email protected]

Workarounds

Disable tunneling by removing the tunnelRoute option from Sentry Next.js SDK config — next.config.js or next.config.mjs.

References

Credits

Praveen Kumar

Permalink: https://github.com/advisories/GHSA-2rmr-xw8m-22q9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycm1yLXh3OG0tMjJxOc4AA3B6
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-2rmr-xw8m-22q9, CVE-2023-46729
References:

Repository: https://github.com/getsentry/sentry-javascript
Blast Radius: 21.2

Affected Packages

npm:@sentry/nextjs

Dependent packages: 55
Dependent repositories: 2,996
Downloads: 5,592,261 last month
Affected Version Ranges: >= 7.26.0, < 7.77.0
Fixed in: 7.77.0
All affected versions: 7.26.0, 7.27.0, 7.28.0, 7.28.1, 7.29.0, 7.30.0, 7.31.0, 7.31.1, 7.32.0, 7.32.1, 7.33.0, 7.34.0, 7.35.0, 7.36.0, 7.37.0, 7.37.1, 7.37.2, 7.38.0, 7.39.0, 7.40.0, 7.41.0, 7.42.0, 7.43.0, 7.44.0, 7.44.1, 7.44.2, 7.45.0, 7.46.0, 7.47.0, 7.48.0, 7.49.0, 7.50.0, 7.51.0, 7.51.1, 7.51.2, 7.52.0, 7.52.1, 7.53.0, 7.53.1, 7.54.0, 7.55.0, 7.55.1, 7.55.2, 7.56.0, 7.57.0, 7.58.0, 7.58.1, 7.59.1, 7.59.2, 7.59.3, 7.60.0, 7.60.1, 7.61.0, 7.61.1, 7.62.0, 7.63.0, 7.64.0, 7.65.0, 7.66.0, 7.67.0, 7.68.0, 7.69.0, 7.70.0, 7.71.0, 7.72.0, 7.73.0, 7.74.0, 7.74.1, 7.75.0, 7.75.1, 7.76.0
All unaffected versions: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.6.0, 6.7.0, 6.7.1, 6.7.2, 6.8.0, 6.9.0, 6.10.0, 6.11.0, 6.12.0, 6.13.0, 6.13.1, 6.13.2, 6.13.3, 6.14.0, 6.14.1, 6.14.2, 6.14.3, 6.15.0, 6.16.0, 6.16.1, 6.17.0, 6.17.1, 6.17.2, 6.17.3, 6.17.4, 6.17.5, 6.17.6, 6.17.7, 6.17.8, 6.17.9, 6.18.0, 6.18.1, 6.18.2, 6.19.0, 6.19.1, 6.19.2, 6.19.3, 6.19.4, 6.19.5, 6.19.6, 6.19.7, 7.0.0, 7.1.0, 7.1.1, 7.2.0, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 7.6.0, 7.7.0, 7.8.0, 7.8.1, 7.9.0, 7.10.0, 7.11.0, 7.11.1, 7.12.0, 7.12.1, 7.13.0, 7.14.0, 7.14.1, 7.14.2, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.17.2, 7.17.3, 7.17.4, 7.18.0, 7.19.0, 7.20.0, 7.20.1, 7.21.0, 7.21.1, 7.22.0, 7.23.0, 7.24.0, 7.24.1, 7.24.2, 7.25.0, 7.77.0, 7.78.0, 7.79.0, 7.80.0, 7.80.1, 7.81.0, 7.81.1, 7.82.0, 7.83.0, 7.84.0, 7.85.0, 7.86.0, 7.87.0, 7.88.0, 7.89.0, 7.90.0, 7.91.0, 7.92.0, 7.93.0, 7.94.1, 7.95.0, 7.97.0, 7.98.0, 7.99.0, 7.100.0, 7.100.1, 7.101.0, 7.101.1, 7.102.0, 7.102.1, 7.103.0, 7.104.0, 7.105.0, 7.106.0, 7.106.1, 7.107.0, 7.108.0, 7.109.0, 7.110.0, 7.110.1, 7.111.0, 7.112.0, 7.112.1, 7.112.2, 7.113.0, 7.114.0, 7.115.0, 7.116.0, 7.117.0, 7.118.0, 7.119.0, 7.119.1, 7.119.2, 7.120.0, 8.0.0, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.1, 8.9.2, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 8.20.0, 8.21.0, 8.22.0, 8.23.0, 8.24.0, 8.25.0, 8.26.0, 8.27.0, 8.28.0, 8.29.0, 8.30.0, 8.31.0, 8.32.0, 8.33.0, 8.33.1, 8.34.0, 8.35.0, 8.36.0, 8.37.0, 8.37.1, 8.38.0, 8.39.0, 8.40.0, 8.41.0