cbcvebase.
CVE-2025-57822
published 2025-08-29

CVE-2025-57822: Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing…

PriorityP262high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EXPLOIT
EPSS
2.33%
81.4th percentile
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

Affected

5 ranges
VendorProductVersion rangeFixed in
nextnext>= 0.9.9 < 14.2.3214.2.32
nextnext>= 15.0.0-canary.0 < 15.4.715.4.7
vercelnext.js< 15.4.715.4.7
vercelnext.js< 14.2.3214.2.32
vercelnext.js>= 15.0.0 < 15.4.715.4.7

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://oast.me
otherLocation: https://oast.me
otherX-Middleware-Rewrite: https://oast.me
bytes
490a004630440220119d1445aa13ebbd3cbeb100e44bd0a126d551a7004a5a55320f8a6e749ca4110220137caea0e78d19e95d02fbbdb4e35c221b877b71259536a951598b3540bfc2d2:922c64590222798bb761d5b6d8e72950
  • Probe for CVE-2025-57822 by first confirming the target serves Next.js (body contains '_next/static'), then sending a GET request with attacker-controlled 'Location' and 'X-Middleware-Rewrite' headers pointing to an OOB callback (e.g., oast.me); a successful SSRF is confirmed when the Interactsh/OOB server receives a callback (' Interactsh Server ' in response body).
  • Initial fingerprinting step: confirm Next.js presence by checking response body for the string '_next/static' before attempting exploitation.
  • Use a randomised cache-buster query parameter (e.g., ?cb=<rand_alpha>) when sending the exploit request to avoid cached responses masking the vulnerability.
  • Shodan/FOFA hunting: identify exposed Next.js instances via CPE 'cpe:2.3:a:zeit:next.js', HTTP HTML containing '/_next/static', or FOFA body match '/_next/static'.
  • The vulnerability is triggered specifically when user-supplied headers are forwarded to NextResponse.next() in custom middleware without explicitly passing the request object; monitor middleware code for unsafe header forwarding patterns.
  • ·Vulnerability only affects self-hosted Next.js deployments; Vercel-hosted applications are not impacted by this SSRF vector.
  • ·Exploitation requires the target application to have custom middleware logic that passes headers to NextResponse.next() insecurely; not all Next.js deployments are vulnerable by default.
  • ·The CVSS score is 6.5 (Medium) with High Complexity (AC:H), reflecting that exploitation is conditional on specific misconfigured middleware patterns rather than being universally exploitable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.