CVE-2025-57822

Published Aug 29, 2025

Last updated 6 months ago

CVSS medium 6.5
React
Next.js

Overview

Description
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
Source
security-advisories@github.com
NVD status
Analyzed
Products
next.js

Risk scores

CVSS 3.1

Type
Primary
Base score
8.2
Impact score
4.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-918

Social media

Hype score
Not currently trending

  1. Plop ! HExHTTP v2.3: - Renames files and directory - Linting - Fixed bugs - Remake simple cache poisoning module - New payloads - Menu in README(.)md - CVE-2025-57822 module check - Add random user-agent during cpdos to avoid overly strict waf & more ! :) HF !

    @c0dejump

    9 Nov 2025

    168 Impressions

    0 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  2. Next.js and the Mutated Middleware - interesting analysis of CVE-2025-57822 in Next.js https://t.co/qqYyLW3oEs By @RootSysAt team #bugbounty #bugbountytips https://t.co/tuYA9Z6P5F

    @payloadartist

    31 Oct 2025

    1645 Impressions

    6 Retweets

    24 Likes

    24 Bookmarks

    2 Replies

    0 Quotes

  3. 📚 Next.js PoC (CVE-2025-57822) Exploring an edge-case where Next.js middleware header handling opens a subtle attack surface. Read: https://t.co/JGREsWBxb4 https://t.co/Vv3RbXg6Tj

    @IntCyberDigest

    29 Oct 2025

    2077 Impressions

    3 Retweets

    16 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  4. 💡Quick tip! Testing a target running on NextJS? Try to test for CVE-2025-57822, a simple SSRF triggered via the Location header. This happens whenever developers pass unsanitized request headers to the next() method! 🤠 Example! 👇 https://t.co/ed4VnVWEmu

    @intigriti

    13 Oct 2025

    6498 Impressions

    12 Retweets

    109 Likes

    78 Bookmarks

    1 Reply

    0 Quotes

  5. 🚨 Next.js and the Mutated Middleware [CVE-2025-57822] - a powerful SSRF primitive enabling full control over HTTP methods, headers & URLs. See how a subtle middleware bug can result in a high-impact vulnerability: 🔗 https://t.co/gC6npJz8dr #AppSec #Nextjs #SSRF

    @RootSysAt

    21 Sept 2025

    8197 Impressions

    30 Retweets

    95 Likes

    54 Bookmarks

    1 Reply

    0 Quotes

  6. CVE-2025-57822 Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the reque… https://t.co/Giy8tjtE6T

    @CVEnew

    29 Aug 2025

    389 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.CVE-2025-13984
  2. A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion: 1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory. 2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion. Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server. To be affected you must have an application running with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable. Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.CVE-2025-59472
  3. A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.CVE-2025-59471
  4. It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.CVE-2025-67779
  5. An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.CVE-2025-55183

References

Sources include official advisories and independent security research.