Next.js Origin Bypass Vulnerability in Server Action CSRF Validation

A vulnerability in Next.js versions 16.0.1 prior to 16.1.7 allows requests from opaque contexts, such as sandboxed iframes, to bypass origin verification during Server Action CSRF validation. This could enable an attacker to manipulate a victim's browser into submitting Server Actions from a sandboxed context, potentially executing state-changing actions with the victim's credentials.

Impact

Exploitation of this vulnerability could lead to Cross-Site Request Forgery (CSRF) attacks, allowing unauthorized actions to be performed on behalf of the user.

Reproduction

The vulnerability can be reproduced by sending a request from a sandboxed iframe with the 'null' origin. This can be done by creating an iframe element, setting its 'sandbox' attribute, and appending it to the document. Once the iframe is loaded, a request can be sent to the server action that is vulnerable to CSRF, bypassing the origin validation.

Remediation

Users can upgrade to Next.js version 16.1.7 or later, where this vulnerability is fixed. If an immediate upgrade is not possible, CSRF tokens can be added for sensitive Server Actions, 'SameSite=Strict' can be applied to sensitive authentication cookies, and 'null' can be removed from 'serverActions.allowedOrigins' unless explicitly required and protected.