GHSA-2rmr-xw8m-22q9: Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint

Skip to content

Sign up

CVE-2023-46729

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

Explore

*   All features
*   Documentation
*   GitHub Skills
*   Blog

• For

  • Enterprise
  • Teams
  • Startups
  • Education

  By Solution

  • CI/CD & Automation
  • DevOps
  • DevSecOps

  Resources

  • Learning Pathways
  • White papers, Ebooks, Webinars
  • Customer Stories
  • Partners

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

Repositories

*   Topics
*   Trending
*   Collections

• Pricing

Search code, repositories, users, issues, pull requests…

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Saved searches****Use saved searches to filter your results more quickly

Sign in

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-46729

Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint

Critical severity GitHub Reviewed Published Nov 9, 2023 in getsentry/sentry-javascript • Updated Nov 9, 2023

Vulnerability details Dependabot alerts 0

Package

npm @sentry/nextjs (npm)

Affected versions

>= 7.26.0, < 7.77.0

Patched versions

7.77.0

Description

Impact

An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors:

• client-side vulnerabilities: XSS/CSRF in the context of the trusted domain;
• interaction with internal network;
• read cloud metadata endpoints (AWS, Azure, Google Cloud, etc.);
• local/remote port scan.

This issue only affects users who have Next.js SDK tunneling feature enabled.

Patches

The problem has been fixed in sentry/[email protected]

Workarounds

Disable tunneling by removing the tunnelRoute option from Sentry Next.js SDK config — next.config.js or next.config.mjs.

References

• Sentry Next.js tunneling feature
• The fix
• More Information

References

• GHSA-2rmr-xw8m-22q9
• getsentry/sentry-javascript#9415
• getsentry/sentry-javascript@ddbda3c
• https://blog.sentry.io/next-js-sdk-security-advisory-cve-2023-46729/
• https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/#configure-tunneling-to-avoid-ad-blockers
• https://www.npmjs.com/package/@sentry/nextjs/v/7.77.0

alek-sentry published to getsentry/sentry-javascript

Nov 9, 2023

Published to the GitHub Advisory Database

Nov 9, 2023

Reviewed

Nov 9, 2023

Last updated

Nov 9, 2023

Severity

Critical

9.3

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Weaknesses

CWE-918

CVE ID

CVE-2023-46729

GHSA ID

GHSA-2rmr-xw8m-22q9

Source code

getsentry/sentry-javascript

Checking history

See something to contribute? Suggest improvements for this vulnerability.