AI description
CVE-2025-57822 is a vulnerability affecting Next.js, a React framework, in versions prior to 14.2.32 and 15.4.7. It involves a Server-Side Request Forgery (SSRF) risk due to improper handling of the `NextResponse.next()` function within middleware. The issue arises when request headers are directly passed into `NextResponse.next()` without explicitly passing the request object. In self-hosted applications with custom middleware logic, this could allow an attacker to influence internal requests and potentially access sensitive internal resources by crafting requests with user-controlled headers (e.g., Location) that are forwarded or interpreted without validation. The vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7 by updating the internal middleware logic to prevent unsafe fallback behavior when the request object is omitted from the `next()` call.
- Description
- Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- next.js
CVSS 3.1
- Type
- Primary
- Base score
- 8.2
- Impact score
- 4.2
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-918
- Hype score
- Not currently trending
Plop ! HExHTTP v2.3: - Renames files and directory - Linting - Fixed bugs - Remake simple cache poisoning module - New payloads - Menu in README(.)md - CVE-2025-57822 module check - Add random user-agent during cpdos to avoid overly strict waf & more ! :) HF !
@c0dejump
9 Nov 2025
168 Impressions
0 Retweets
5 Likes
1 Bookmark
0 Replies
0 Quotes
Next.js and the Mutated Middleware - interesting analysis of CVE-2025-57822 in Next.js https://t.co/qqYyLW3oEs By @RootSysAt team #bugbounty #bugbountytips https://t.co/tuYA9Z6P5F
@payloadartist
31 Oct 2025
1645 Impressions
6 Retweets
24 Likes
24 Bookmarks
2 Replies
0 Quotes
📚 Next.js PoC (CVE-2025-57822) Exploring an edge-case where Next.js middleware header handling opens a subtle attack surface. Read: https://t.co/JGREsWBxb4 https://t.co/Vv3RbXg6Tj
@IntCyberDigest
29 Oct 2025
2077 Impressions
3 Retweets
16 Likes
6 Bookmarks
0 Replies
0 Quotes
💡Quick tip! Testing a target running on NextJS? Try to test for CVE-2025-57822, a simple SSRF triggered via the Location header. This happens whenever developers pass unsanitized request headers to the next() method! 🤠 Example! 👇 https://t.co/ed4VnVWEmu
@intigriti
13 Oct 2025
6498 Impressions
12 Retweets
109 Likes
78 Bookmarks
1 Reply
0 Quotes
🚨 Next.js and the Mutated Middleware [CVE-2025-57822] - a powerful SSRF primitive enabling full control over HTTP methods, headers & URLs. See how a subtle middleware bug can result in a high-impact vulnerability: 🔗 https://t.co/gC6npJz8dr #AppSec #Nextjs #SSRF
@RootSysAt
21 Sept 2025
8197 Impressions
30 Retweets
95 Likes
54 Bookmarks
1 Reply
0 Quotes
CVE-2025-57822 Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the reque… https://t.co/Giy8tjtE6T
@CVEnew
29 Aug 2025
389 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "2A3CBDD9-BA60-40F2-905B-1E4BD421D658",
"versionEndExcluding": "14.2.32"
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "03A17779-828F-4998-BA58-18474C6A794A",
"versionEndExcluding": "15.4.7",
"versionStartIncluding": "15.0.0"
}
],
"operator": "OR"
}
]
}
]