CVE-2025-57822

29.08.2025, 22:15

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

SSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
GitHub_M	CNA	6.5 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 90%

Vendor	Product	Version
vercel	next.js	𝑥 < 14.2.32
vercel	next.js	15.0.0 ≤ 𝑥 < 15.4.7

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-918 - Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References

https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8

https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f

https://vercel.com/changelog/cve-2025-57822