Skip to content

[Security] Bump @sentry/nextjs from 7.55.2 to 7.77.0

Ghost Userrequested to merge
dependabot-npm_and_yarn-sentry-nextjs-7.77.0 into main

Bumps @sentry/nextjs from 7.55.2 to 7.77.0. This update includes a security fix.

Vulnerabilities fixed

Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint

Impact

An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors:

  • client-side vulnerabilities: XSS/CSRF in the context of the trusted domain;
  • interaction with internal network;
  • read cloud metadata endpoints (AWS, Azure, Google Cloud, etc.);
  • local/remote port scan.

This issue only affects users who have Next.js SDK tunneling feature enabled.

Patches

The problem has been fixed in sentry/nextjs@7.77.0

Workarounds

Disable tunneling by removing the tunnelRoute option from Sentry Next.js SDK config — next.config.js or next.config.mjs.

References

... (truncated)

Patched versions: 7.77.0 Affected versions: >= 7.26.0, < 7.77.0

Release notes

Sourced from @​sentry/nextjs's releases.

7.77.0

Security Fixes

  • fix(nextjs): Match only numbers as orgid in tunnelRoute (#9416) (CVE-2023-46729)
  • fix(nextjs): Strictly validate tunnel target parameters (#9415) (CVE-2023-46729)

Other Changes

  • feat: Move LinkedErrors integration to @​sentry/core (#9404)
  • feat(remix): Update sentry-cli version to ^2.21.2 (#9401)
  • feat(replay): Allow to treeshake & configure compression worker URL (#9409)
  • fix(angular-ivy): Adjust package entry points to support Angular 17 with SSR config (#9412)
  • fix(feedback): Fixing feedback import (#9403)
  • fix(utils): Avoid keeping a reference of last used event (#9387)

Bundle size 📦

Path Size
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped) 77.46 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) 56.69 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped) 30.97 KB
@​sentry/browser - Webpack (gzipped) 21.29 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) 67.83 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped) 29.09 KB
@​sentry/browser - ES6 CDN Bundle (gzipped) 21.23 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) 216.89 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) 88.28 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed) 63.28 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped) 31.8 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped) 77.84 KB
@​sentry/react - Webpack (gzipped) 21.34 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped) 94.18 KB
@​sentry/nextjs Client - Webpack (gzipped) 47.86 KB

7.76.0

Important Changes

  • feat(core): Add cron monitor wrapper helper (#9395)

This release adds Sentry.withMonitor(), a wrapping function that wraps a callback with a cron monitor that will automatically report completions and failures:

import * as Sentry from '@sentry/node';
// withMonitor() will send checkin when callback is started/finished
// works with async and sync callbacks.
const result = Sentry.withMonitor(
'dailyEmail',
() => {
</tr></table>

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

7.77.0

Security Fixes

  • fix(nextjs): Match only numbers as orgid in tunnelRoute (#9416) (CVE-2023-46729)
  • fix(nextjs): Strictly validate tunnel target parameters (#9415) (CVE-2023-46729)

Other Changes

  • feat: Move LinkedErrors integration to @​sentry/core (#9404)
  • feat(remix): Update sentry-cli version to ^2.21.2 (#9401)
  • feat(replay): Allow to treeshake & configure compression worker URL (#9409)
  • fix(angular-ivy): Adjust package entry points to support Angular 17 with SSR config (#9412)
  • fix(feedback): Fixing feedback import (#9403)
  • fix(utils): Avoid keeping a reference of last used event (#9387)

7.76.0

Important Changes

  • feat(core): Add cron monitor wrapper helper (#9395)

This release adds Sentry.withMonitor(), a wrapping function that wraps a callback with a cron monitor that will automatically report completions and failures:

import * as Sentry from '@sentry/node';
// withMonitor() will send checkin when callback is started/finished
// works with async and sync callbacks.
const result = Sentry.withMonitor(
'dailyEmail',
() => {
// withCheckIn return value is same return value here
return sendEmail();
},
// Optional upsert options
{
schedule: {
type: 'crontab',
value: '0 * * * *',
},
// 🇨🇦🫡
timezone: 'Canada/Eastern',
},
);

Other Changes

  • chore(angular-ivy): Allow Angular 17 in peer dependencies (#9386)

... (truncated)

Commits
  • a807adf release: 7.77.0
  • cf4df75 Merge pull request #9417 from getsentry/prepare-release/7.77.0
  • 3e619dc meta: Update CHANGELOG for 7.77.0
  • 8285f54 fix(nextjs): Match only numbers as orgid in tunnelRoute (#9416)
  • 2ec3582 feat(replay): Allow to treeshake & configure compression worker URL (#9409)
  • 1005925 fix(angular-ivy): Adjust package entry points to support Angular 17 with SSR ...
  • a8cf899 ref(replay): Streamline rrweb internal error check (#9391)
  • ddbda3c fix(nextjs): Strictly validate tunnel target parameters (#9415)
  • 4371b2c build: Clean ember and deno packages properly (#9411)
  • 89a4d42 feat: Move LinkedErrors integration to @​sentry/core (#9404)
  • Additional commits viewable in compare view

Merge request reports