CVE-2025-6087

Name of the Vulnerable Software and Affected Versions @opennextjs/cloudflare versions prior to 1.3.0 create-cloudflare versions prior to 2.49.3

Description A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the "/ next/image" endpoint. This issue allowed attackers to load remote resources from arbitrary hosts under the victim site’s domain for any site deployed using the Cloudflare adapter for Open Next. The vulnerability can lead to arbitrary remote content loading, potential internal service exposure, or phishing risks through domain abuse.

Recommendations For @opennextjs/cloudflare versions prior to 1.3.0, update to version 1.3.0 or later. For create-cloudflare versions prior to 2.49.3, update to version 2.49.3 or later. As a temporary workaround, consider restricting access to the "/ next/image" endpoint to only load images. Use the remotePatterns filter in Next config to allow-list external URLs with image assets if needed.