Next.js image Blind SSRF
Description
The Next.js Image Optimization API can be misconfigured with overly permissive remotePatterns settings, allowing the server to fetch and process images from any external or internal host. Attackers can exploit this by crafting malicious image URLs that cause the Next.js server to make requests to arbitrary destinations, including internal network resources that should not be publicly accessible. This Server-Side Request Forgery (SSRF) vulnerability enables reconnaissance and potential access to sensitive internal services without authentication.
Remediation
Configure the remotePatterns option in next.config.js to explicitly whitelist only trusted external domains that your application legitimately needs to load images from. Follow these steps:
1. Review your application's requirements and identify all legitimate external image sources
2. Update your Next.js configuration to use strict pattern matching:
// next.config.js
module.exports = {
images: {
remotePatterns: [
{
protocol: 'https',
hostname: 'trusted-cdn.example.com',
port: '',
pathname: '/images/**',
},
{
protocol: 'https',
hostname: 'cdn.example.com',
},
],
},
}3. Avoid using wildcard patterns (e.g., **) in hostname configurations
4. Always specify the protocol as https when possible
5. Use the pathname parameter to further restrict allowed image paths
6. Test the configuration thoroughly to ensure legitimate images load correctly while blocking unauthorized sources