better-auth-cloudflare (=0.1.0), next-ai-draw-io (=0.4.10) potentially affected by CVE-2026-3125 via @opennextjs/cloudflare (>=1.0.1 <=1.14.8)

@opennextjs/cloudflare NPM version =1.0.1, =1.14.8 is affected by a known vulnerability. The following packages have a transitive dependency on @opennextjs/cloudflare and may be impacted: - better-auth-cloudflare =0.1.0 - next-ai-draw-io =0.4.10 Source cves: CVE-2026-3125 Source advisory:...

CVE-2026-3125

A Server-Side Request Forgery SSRF vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In...

CVE-2026-3125 SSRF vulnerability in opennextjs-cloudflare via /cdn-cgi/ path normalization bypass

A Server-Side Request Forgery SSRF vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In...

CVE-2026-3125 SSRF vulnerability in opennextjs-cloudflare via /cdn-cgi/ path normalization bypass

A Server-Side Request Forgery SSRF vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In...

The vulnerability of the opennextjs package from Cloudflare’s network traffic balancing service for web applications allows attackers to execute arbitrary code.

The vulnerability of the opennextjs package, a network traffic balancing service for Cloudflare’s web applications, relates to insufficient validation of incoming requests. Exploiting this vulnerability allows an attacker to execute arbitrary code by manipulating requests sent from the server’s...

@basemachina/ai-csv-editor (>=0.1.0 <=0.2.1), @edgebasejs/admin-console (=0.1.0) +14 more potentially affected by CVE-2025-6087 +1 more via @opennextjs/cloudflare (>=1.0.1 <=1.19.7)

@opennextjs/cloudflare NPM version =1.0.1, =0.1.0, =0.1.4, =0.1.0, =0.1.0, =0.1.0, =0.0.694, =0.0.1, =0.0.6 - next-ai-draw-io =0.4.10 - opennext-oss-provider =0.0.1 and more Source cves: CVE-2025-6087, CVE-2026-3125 Source advisory: OSV:GHSA-RVPW-P7VW-WJ3M...

CVE-2025-6087 SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint

A Server-Side Request Forgery SSRF vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the /next/image endpoint...

CVE-2025-6087

CVE-2025-6087 affects @opennextjs/cloudflare (OpenNext Cloudflare adapter) and enables SSRF by proxying arbitrary remote content through the /_next/image endpoint due to an unimplemented feature. Affected deployments using the Cloudflare adapter for Open Next are at risk of loading remote resourc...