Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) through the Host header manipulation. An attacker can make unauthorized requests appearing to originate from the server.
Notes:
Prerequisites:
Next.js (<14.1.1) is running in a self-hosted manner.
The Next.js application makes use of Server Actions.
The Server Action performs a redirect to a relative path which starts with a /.