CVE-2025-57822
published 2025-08-29CVE-2025-57822: Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing…
PriorityP262high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EXPLOIT
EPSS
2.33%
81.4th percentile
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 0.9.9 < 14.2.32 | 14.2.32 |
| next | next | >= 15.0.0-canary.0 < 15.4.7 | 15.4.7 |
| vercel | next.js | < 15.4.7 | 15.4.7 |
| vercel | next.js | < 14.2.32 | 14.2.32 |
| vercel | next.js | >= 15.0.0 < 15.4.7 | 15.4.7 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
490a004630440220119d1445aa13ebbd3cbeb100e44bd0a126d551a7004a5a55320f8a6e749ca4110220137caea0e78d19e95d02fbbdb4e35c221b877b71259536a951598b3540bfc2d2:922c64590222798bb761d5b6d8e72950
- →Probe for CVE-2025-57822 by first confirming the target serves Next.js (body contains '_next/static'), then sending a GET request with attacker-controlled 'Location' and 'X-Middleware-Rewrite' headers pointing to an OOB callback (e.g., oast.me); a successful SSRF is confirmed when the Interactsh/OOB server receives a callback (' Interactsh Server ' in response body). ↗
- →Initial fingerprinting step: confirm Next.js presence by checking response body for the string '_next/static' before attempting exploitation. ↗
- →Use a randomised cache-buster query parameter (e.g., ?cb=<rand_alpha>) when sending the exploit request to avoid cached responses masking the vulnerability. ↗
- →Shodan/FOFA hunting: identify exposed Next.js instances via CPE 'cpe:2.3:a:zeit:next.js', HTTP HTML containing '/_next/static', or FOFA body match '/_next/static'. ↗
- →The vulnerability is triggered specifically when user-supplied headers are forwarded to NextResponse.next() in custom middleware without explicitly passing the request object; monitor middleware code for unsafe header forwarding patterns. ↗
- ·Vulnerability only affects self-hosted Next.js deployments; Vercel-hosted applications are not impacted by this SSRF vector. ↗
- ·Exploitation requires the target application to have custom middleware logic that passes headers to NextResponse.next() insecurely; not all Next.js deployments are vulnerable by default. ↗
- ·The CVSS score is 6.5 (Medium) with High Complexity (AC:H), reflecting that exploitation is conditional on specific misconfigured middleware patterns rather than being universally exploitable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Next.js Improper Middleware Redirect Handling Leads to SSRF
osv·2025-08-29
CVE-2025-57822 [MEDIUM] Next.js Improper Middleware Redirect Handling Leads to SSRF
Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly passed into `NextResponse.next()`. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the `next()` function.
More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57822)
GHSA
Next.js Improper Middleware Redirect Handling Leads to SSRF
ghsa·2025-08-29
CVE-2025-57822 [MEDIUM] CWE-918 Next.js Improper Middleware Redirect Handling Leads to SSRF
Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly passed into `NextResponse.next()`. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the `next()` function.
More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57822)
No detection rules found.
Nuclei
Next.js Middleware - Server-Side Request Forgery
nuclei·CVSS 8.2
CVE-2025-57822 [HIGH] Next.js Middleware - Server-Side Request Forgery
Next.js Middleware - Server-Side Request Forgery
In Next.js prior to versions 14.2.32 and 15.4.7, when request headerswere insecurely passed to NextResponse.next(), an attacker could exploit this behavior to perform Server-Side Request Forgery (SSRF) attacks.
Template:
id: CVE-2025-57822
info:
name: Next.js Middleware - Server-Side Request Forgery
author: prdngr,nicolas-latacora
severity: medium
description: |
In Next.js prior to versions 14.2.32 and 15.4.7, when request headerswere insecurely passed to NextResponse.next(), an attacker could exploit this behavior to perform Server-Side Request Forgery (SSRF) attacks.
impact: |
Attackers can manipulate request headers to perform SSRF attacks by forcing the server to make requests to arbitrary internal or external URLs when middleware pa
No writeups or analysis indexed.
2025-08-29
Published