PT-2025-35322 · Vercel · Next.Js
Aaronbrown-Vercel
·
Published
2025-08-29
·
Updated
2025-08-30
·
CVE-2025-57822
CVSS v3.1
6.5
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N |
Fix
SSRF
Weakness Enumeration
Related Identifiers
Affected Products
Next.Js
Aaronbrown-Vercel
·
Published
2025-08-29
·
Updated
2025-08-30
·
CVE-2025-57822
6.5
Medium
| Base vector | Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Next.js versions prior to 14.2.32
Next.js versions prior to 15.4.7
Description:
Next.js, a React framework for building full-stack web applications, is susceptible to Server-Side Request Forgery (SSRF) in self-hosted applications. This issue occurs when the `next()` function is used without explicitly passing the request object, potentially leading to the incorrect forwarding of user-supplied headers.
Recommendations:
Next.js versions prior to 14.2.32: Upgrade to version 14.2.32 or later.
Next.js versions prior to 15.4.7: Upgrade to version 15.4.7 or later.
Verify correct usage of the `next()` function in custom middleware logic.
Fix
SSRF