CVE-2023-46729

Name of the Vulnerable Software and Affected Versions sentry-javascript versions prior to 7.77.0

Description The issue is related to insufficient input validation in the sentry-javascript SDK, specifically affecting the Next.js SDK tunnel endpoint. This allows an attacker to send HTTP requests to arbitrary URLs and reflect the response back to the user, potentially leading to client-side vulnerabilities such as XSS/CSRF, interaction with internal networks, reading cloud metadata endpoints, or local/remote port scans. The problem only affects users with the Next.js SDK tunneling feature enabled.

Recommendations For versions prior to 7.77.0, update to version 7.77.0 to fix the issue. As a temporary workaround, consider disabling the tunneling feature by removing the tunnelRoute option from the Sentry Next.js SDK config in next.config.js or next.config.mjs.