CVE-2023-46729 – This vulnerability in sentry-javascript's Next.... (How to Fix)

Q: What is the severity of CVE-2023-46729?

CVE-2023-46729 has a CVSS score of 9.3 (CRITICAL). This vulnerability in sentry-javascript's Next.js SDK tunnel endpoint allows attackers to send HTTP requests to arbitrary URLs and reflect responses back to users. It only affects users who have the Next.js SDK tunneling feature enabled. The issue enables server-side request forgery (SSRF) attacks.

📋 TL;DR

This vulnerability in sentry-javascript's Next.js SDK tunnel endpoint allows attackers to send HTTP requests to arbitrary URLs and reflect responses back to users. It only affects users who have the Next.js SDK tunneling feature enabled. The issue enables server-side request forgery (SSRF) attacks.

💻 Affected Systems

Products:

sentry-javascript Next.js SDK

Versions: Versions before 7.77.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects users with Next.js SDK tunneling feature enabled

📦 What is this software?

Sentry Software Development Kit by Sentry

View all CVEs affecting Sentry Software Development Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or chain with other vulnerabilities to achieve remote code execution.

🟠

Likely Case

Attackers probe internal networks, access metadata services, or interact with internal APIs to gather information.

🟢

If Mitigated

With proper network segmentation and input validation, impact is limited to information disclosure from accessible endpoints.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities are commonly exploited; no public PoC but trivial to craft

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.77.0

Vendor Advisory: https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-2rmr-xw8m-22q9

Restart Required: Yes

Instructions:

1. Update sentry-javascript package to version 7.77.0 or later. 2. Run npm update @sentry/nextjs or yarn upgrade @sentry/nextjs. 3. Restart your Next.js application.

🔧 Temporary Workarounds

Disable tunneling feature

all

Disable the Next.js SDK tunneling feature if not required

Set tunnelRoute: false in Sentry configuration

🧯 If You Can't Patch

Implement strict input validation on the tunnel endpoint
Restrict outbound network access from the affected server

🔍 How to Verify

Check if Vulnerable:

Check if using sentry-javascript Next.js SDK version <7.77.0 with tunneling enabled

Check Version:

npm list @sentry/nextjs

Verify Fix Applied:

Verify package.json shows @sentry/nextjs version >=7.77.0

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests from Sentry tunnel endpoint to internal IPs
Error logs showing SSRF attempts

Network Indicators:

Outbound requests from application server to unexpected internal services
Traffic patterns matching SSRF probes

SIEM Query:

source="application_logs" AND "tunnel" AND ("internal" OR "127.0.0.1" OR "169.254.169.254")

📊 Metadata

CVE ID: CVE-2023-46729

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-918

Published: November 10, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46729, you might also want to check these: