The Sentry Next.js SDK has a critical security vulnerability that allows malicious actors to forge requests and responses from the application, commonly known as Server-side Request Forgery (SSRF). The vulnerability exists in versions 7.26.0-7.76.0 of the SDK, which are vulnerable when the tunnelRoute option is enabled. A fix for this vulnerability has been released in version 7.77.0. Users are advised to upgrade to this version or remove the tunnelRoute option from their SDK configuration to fix the issue. The Sentry team has investigated and found no evidence that this vulnerability was exploited, but they have implemented measures to mitigate its impact on infrastructure-level platforms like Vercel. Users can check for signs of exploitation by scanning logs for malicious requests with a specific URL query parameter, and they should consider themselves targeted if such requests are found. To protect customers and themselves, users are advised to invalidate and rotate authentication data after fixing the vulnerability.