CVE-2025-57822

Name of the Vulnerable Software and Affected Versions Next.js versions prior to 14.2.32 and prior to 15.4.7

Description Next.js is a React framework for building full-stack web applications. When the next() function was used without explicitly passing the request object in self-hosted applications, it could lead to Server-Side Request Forgery (SSRF). This occurred when request headers were directly passed into NextResponse.next(), potentially allowing sensitive headers from the incoming request to be reflected back into the response. SSRF is a web security vulnerability that allows an attacker to make requests on behalf of the server. The next() function is used within middleware to pass control to the next middleware or the route handler.

Recommendations Next.js versions prior to 14.2.32 should be upgraded to version 14.2.32 or later. Next.js versions prior to 15.4.7 should be upgraded to version 15.4.7 or later. Verify correct usage of the next() function in custom middleware logic.