Description

An overly permissive "remotePatterns" configuration in the Image component of a Next.js app can allow unauthenticated attackers to send arbitrary requests to any host, including those on internal networks that are otherwise inaccessible externally. This misconfiguration can be exploited to carry out SSRF (Server-Side Request Forgery) attacks on the server

Remediation

Restrict access to third-parties with "remotePatterns" in next.config.js

References

Digging for SSRF in NextJS apps

NextJS Image component

Related Vulnerabilities

Missing object-src in CSP Declaration

Unsupported Hash Detected in Content Security Policy (CSP)

JavaMelody publicly accessible

Atlassian OAuth Plugin IconUriServlet SSRF

Insecure Referrer Policy

Severity

Medium

Classification

CWE-918 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Tags

Acumonitor SSRF Configuration