Praveen Kumar

**Name of the Vulnerable Software and Affected Versions** sentry-javascript versions prior to 7.77.0 **Description** The issue is related to insufficient input validation in the sentry-javascript SDK, specifically affecting the Next.js SDK tunnel endpoint. This allows an attacker to send HTTP requests to arbitrary URLs and reflect the response back to the user, potentially leading to client-side vulnerabilities such as XSS/CSRF, interaction with internal networks, reading cloud metadata endpoints, or local/remote port scans. The problem only affects users with the Next.js SDK tunneling feature enabled. **Recommendations** For versions prior to 7.77.0, update to version 7.77.0 to fix the issue. As a temporary workaround, consider disabling the tunneling feature by removing the `tunnelRoute` option from the Sentry Next.js SDK config in `next.config.js` or `next.config.mjs`.