CVE-2026-3125

Name of the Vulnerable Software and Affected Versions @opennextjs/cloudflare (affected versions not specified)

Description A Server-Side Request Forgery (SSRF) issue exists in the @opennextjs/cloudflare package. This is due to a path normalization bypass in the /cdn-cgi/image/ handler. Specifically, using a backslash instead of a forward slash in the path (e.g., /cdn-cgiimage/ instead of /cdn-cgi/image/) can bypass edge interception and allow requests to reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, leading to an unvalidated fetch of arbitrary remote URLs. This allows an attacker to serve attacker-controlled content through the victim site's domain, potentially violating the same-origin policy and misleading users. Cloudflare Workers with Assets and Cloudflare Pages are also affected, as assets stored under /cdn-cgi/ paths can become publicly accessible using the same backslash bypass. This could lead to the retrieval of private data, such as incremental cache data stored under /cdn-cgi/ next cache. The vulnerable API endpoint is /cdn-cgi/image/. The vulnerable parameter is the URL provided after the handler, such as https://attacker.com in the example https://victim-site.com/cdn-cgiimage/aaaa/https://attacker.com.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.