6.1

CVSS Score

Basic Information

CVE ID

CVE-2023-46729

GHSA ID

GHSA-2rmr-xw8m-22q9

EPSS Score

CWE

CWE-918

Published

11/9/2023

Updated

11/17/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-46729

CVE-2023-46729:
Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint

Impact

An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors:

client-side vulnerabilities: XSS/CSRF in the context of the trusted domain;
interaction with internal network;
read cloud metadata endpoints (AWS, Azure, Google Cloud, etc.);
local/remote port scan.

This issue only affects users who have Next.js SDK tunneling feature enabled.

Patches

The problem has been fixed in sentry/nextjs@7.77.0

Workarounds

Disable tunneling by removing the tunnelRoute option from Sentry Next.js SDK config — next.config.js or next.config.mjs.

References

Credits

Praveen Kumar

(GitHub Advisory)

6.1

CVSS Score

Basic Information

CVE ID

CVE-2023-46729

GHSA ID

GHSA-2rmr-xw8m-22q9

EPSS Score

CWE

CWE-918

Published

11/9/2023

Updated

11/17/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@sentry/nextjs	npm	>= 7.26.0, < 7.77.0	7.77.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure regex patterns in the tunnel rewrite configuration. The commit diff shows the fix replaced '.' with strict patterns ([a-fA-F0-9] for orgid, \d* for projectid). The setUpTunnelRewriteRules function was responsible for creating these vulnerable rewrite rules that didn't properly validate input, allowing attackers to craft malicious URLs that bypassed domain restrictions. This matches the SSRF impact described in the advisory where arbitrary HTTP requests could be sent via manipulated parameters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n uns*nitiz** input o* N*xt.js S*K tunn*l *n*point *llows s*n*in* *TTP r*qu*sts to *r*itr*ry URLs *n* r**l**tin* t** r*spons* ***k to t** us*r. T*is *oul* op*n *oor *or ot**r *tt**k v**tors: * *li*nt-si** vuln*r**iliti*s: XSS/*SR* in t**

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* r***x p*tt*rns in t** tunn*l r*writ* *on*i*ur*tion. T** *ommit *i** s*ows t** *ix r*pl**** '.*' wit* stri*t p*tt*rns ([*-**-**-*]* *or or*i*, \** *or proj**ti*). T** s*tUpTunn*lR*writ*Rul*s *un*tion w*s r*sponsi*

6.1

Basic Information

Concerned about an active attack path?

CVE-2023-46729: Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint

Impact

Patches

Workarounds

References

Credits

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-46729:
Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint

Vulnerability Intelligence
Miggo AI