CVE-2025-57822

Next.js Improper Middleware Redirect Handling Leads to SSRF

CVSS 6.5 MEDIUMEPSS 2.3%CWE-918

In short

Next.js middleware in certain versions can inadvertently allow attackers to make requests to internal servers when the next() function is used improperly, potentially exposing sensitive internal resources in self-hosted applications.

Technical detail

When next() is called without explicitly passing the request object in custom middleware, user-supplied headers may be forwarded unsafely in self-hosted environments, enabling Server-Side Request Forgery (SSRF) attacks against internal infrastructure. The vulnerability affects Next.js versions before 14.2.32 and 15.4.7; exploitation requires improper middleware configuration that fails to sanitize or control header propagation.

Summary generated and translated by AI from the official description.

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Affected products

vercel · next.js

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8 https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f https://vercel.com/changelog/cve-2025-57822