CVE-2024-34351: 
JavaScript vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability (CVE-2024-34351) was identified in Next.js Server Actions, affecting versions >=13.4 and <14.1.1. The vulnerability was discovered by security researchers at Assetnote and fixed in version 14.1.1. The issue occurs when the Host header is modified in specific conditions, allowing attackers to make requests that appear to originate from the Next.js application server itself (Assetnote Advisory, GitHub Advisory).

The vulnerability requires three specific conditions to be exploited: 1) Next.js must be running in a self-hosted manner, 2) the application must use Server Actions, and 3) the Server Action must perform a redirect to a relative path starting with '/'. The issue has been assigned a CVSS score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low complexity, and no required privileges or user interaction (GitHub Advisory).

When successfully exploited, an attacker can make arbitrary requests to URLs and read the full HTTP response made through these requests. As the requests originate from the server, attackers could leverage this vulnerability to access internal networks or metadata IPs for privilege escalation (Assetnote Research).

The vulnerability has been patched in Next.js version 14.1.1. There are no official workarounds available, and users are strongly recommended to upgrade to the patched version. It's worth noting that many hosting providers, including Vercel, route requests based on the Host header, making applications hosted on these platforms potentially immune to this vulnerability (GitHub Advisory).