Aaronbrown-Vercel

**Name of the Vulnerable Software and Affected Versions** Next.js versions prior to 14.2.32 and prior to 15.4.7 **Description** Next.js is a React framework for building full-stack web applications. When the `next()` function was used without explicitly passing the request object in self-hosted applications, it could lead to Server-Side Request Forgery (SSRF). This occurred when request headers were directly passed into `NextResponse.next()`, potentially allowing sensitive headers from the incoming request to be reflected back into the response. SSRF is a web security vulnerability that allows an attacker to make requests on behalf of the server. The `next()` function is used within middleware to pass control to the next middleware or the route handler. **Recommendations** Next.js versions prior to 14.2.32 should be upgraded to version 14.2.32 or later. Next.js versions prior to 15.4.7 should be upgraded to version 15.4.7 or later. Verify correct usage of the `next()` function in custom middleware logic.