UAT-10608 Exploits Next.js CVE-2024-34351 via React2Shell Script

A newly identified threat cluster, tracked as UAT-10608, is actively conducting an automated credential harvesting campaign targeting web applications built on the Next.js framework. According to Dark Reading, the group leverages a custom shell script dubbed “react2shell.sh” to automate the exploitation of a known CVE and the subsequent exfiltration of sensitive environment data. This activity highlights the increasing speed at which opportunistic actors weaponize publicly disclosed vulnerabilities in popular web frameworks.

Technical Analysis of the UAT-10608 Credential Harvesting Campaign

The primary vector for this campaign is CVE-2024-34351, a Server-Side Request Forgery (SSRF) vulnerability affecting Next.js versions prior to 14.1.1. The flaw exists within the “Server Actions” feature, where the framework fails to properly validate the host header when processing internal redirects. An attacker can manipulate the request to force the server into making an outbound connection to an actor-controlled C2 server.

Once the connection is established, the attacker-controlled server can respond with specific headers that the Next.js application will process. In the context of UAT-10608, the actors use this mechanism to leak secrets. The “react2shell.sh” script facilitates this by scanning for exposed applications and attempting to retrieve environment variables, cloud metadata, and configuration files (such as .env files) that frequently contain API keys, database credentials, and session tokens. Unlike a traditional RCE, this exploit targets the data plane, allowing the actor to steal the identity of the application without necessarily gaining shell access to the underlying host.

How to Detect CVE-2024-34351 Exploit in Production

Identifying active exploitation requires monitoring for anomalous outbound network traffic originating from application servers. Because the TTP involves SSRF, SOC teams should look for requests to internal metadata services (e.g., 169.254.169.254) or unexpected external IP addresses initiated by the application process.

Reviewing application logs for suspicious Host headers or redirects that do not align with standard application behavior is also necessary. Defenders can utilize a SIEM to correlate these network anomalies with file access patterns, specifically focusing on the unauthorized reading of .env or configuration files following a suspicious inbound HTTP request. If an IoC is identified, it is vital to assume that any secrets stored in the environment have been compromised.

Mitigating Next.js Server-Side Request Forgery

The most effective Next.js Server-Side Request Forgery mitigation is the immediate update of the framework to version 14.1.1 or higher. This patch introduces stricter validation for internal redirects and prevents the host header manipulation required for the SSRF to function.

Beyond patching, organizations should implement a Zero Trust architecture at the network level. This involves restricting the application’s ability to make outbound requests to anything other than known, required endpoints. Utilizing an egress proxy or firewall to block access to cloud metadata services can prevent the exfiltration of high-value IAM roles and tokens. Furthermore, developers should avoid storing sensitive credentials in plain-text environment files, opting instead for managed secret stores that provide granular access logging and automatic rotation. This prevents a single vulnerability from becoming a wide-scale data breach, even if an attacker successfully bypasses initial web defenses.