Description

An overly permissive "remotePatterns" configuration in the Image component of a Next.js app can allow unauthenticated attackers to send arbitrary requests to any host, including those on internal networks that are otherwise inaccessible externally. This misconfiguration can be exploited to carry out SSRF (Server-Side Request Forgery) attacks on the server

Remediation

Restrict access to third-parties with "remotePatterns" in next.config.js

References

Digging for SSRF in NextJS apps

NextJS Image component

Related Vulnerabilities

Static Nonce Identified in Content Security Policy (CSP)

XML external entity injection and XML injection

Spring Boot Misconfiguration: Unsafe value for session tracking

Virtual Host locations misconfiguration

TRACE/TRACK Method Detected

Severity

Medium

Classification

CWE-918 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Tags

Acumonitor SSRF Configuration