AI description
CVE-2025-57822 is a vulnerability affecting Next.js, a React framework, in versions prior to 14.2.32 and 15.4.7. It involves a Server-Side Request Forgery (SSRF) risk due to improper handling of the `NextResponse.next()` function within middleware. The issue arises when request headers are directly passed into `NextResponse.next()` without explicitly passing the request object. In self-hosted applications with custom middleware logic, this could allow an attacker to influence internal requests and potentially access sensitive internal resources by crafting requests with user-controlled headers (e.g., Location) that are forwarded or interpreted without validation. The vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7 by updating the internal middleware logic to prevent unsafe fallback behavior when the request object is omitted from the `next()` call.
- Description
- Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- next.js
CVSS 3.1
- Type
- Primary
- Base score
- 8.2
- Impact score
- 4.2
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-918
- Hype score
- Not currently trending
🚨 Next.js and the Mutated Middleware [CVE-2025-57822] - a powerful SSRF primitive enabling full control over HTTP methods, headers & URLs. See how a subtle middleware bug can result in a high-impact vulnerability: 🔗 https://t.co/gC6npJz8dr #AppSec #Nextjs #SSRF
@RootSysAt
21 Sept 2025
8197 Impressions
30 Retweets
95 Likes
54 Bookmarks
1 Reply
0 Quotes
CVE-2025-57822 Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the reque… https://t.co/Giy8tjtE6T
@CVEnew
29 Aug 2025
389 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "2A3CBDD9-BA60-40F2-905B-1E4BD421D658",
"versionEndExcluding": "14.2.32"
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "03A17779-828F-4998-BA58-18474C6A794A",
"versionEndExcluding": "15.4.7",
"versionStartIncluding": "15.0.0"
}
],
"operator": "OR"
}
]
}
]