Next.js Improper Middleware Redirect Handling Leads to SSRF

GHSA-4342-x723-ch2f · CVE-2025-57822

Published Aug 29, 2025 · Modified Feb 4, 2026

Description

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

References

WEB https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-57822
WEB https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8
PACKAGE https://github.com/vercel/next.js
WEB https://vercel.com/changelog/cve-2025-57822

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes