Skip to content

CVE-2025-57822

Aaron Brown, , ,
BlogChangelog

Link to headingSummary

A vulnerability affecting Next.js Middleware has been addressed. It impacted versions prior to v14.2.32 and v15.4.7, and involved a Server-Side Request Forgery (SSRF) risk introduced by misconfigured usage of the NextResponse.next() function within middleware. Applications that reflected a user's request headers in this function, rather than passing them through the request object, could unintentionally allow the server to issue requests to attacker-controlled destinations.

A patch applied on August 25th, 2025 eliminated exposure for Vercel customers running the affected versions.

Link to headingImpact

In affected configurations, an attacker could:

  • Influence the destination of internal requests triggered by middleware routing logic

  • Perform SSRF against internal infrastructure if user-controlled headers (e.g.,

    Location) were forwarded or interpreted without validation

  • Potentially access sensitive internal resources or services unintentionally exposed via internal redirect behavior

This issue is exploitable in self-hosted deployments where developers use custom middleware logic and do not adhere to documented usage of NextResponse.next({ request }). It is not exploitable on Vercel infrastructure, which isolates and protects internal request behavior.

Link to headingResolution

The issue was resolved by updating the internal middleware logic to prevent unsafe fallback behavior when request is omitted from the next() call. This ensures the origin server behavior cannot be unintentionally altered by user-supplied headers or misrouted requests.

Fix available in:

  • Next.js v14.2.32

  • Next.js v15.4.7

Link to headingWorkarounds

For users who cannot upgrade immediately:

  • Ensure middleware follows official guidance: Use NextResponse.next({ request })to explicitly pass the request object

  • Avoid forwarding user-controlled headers to downstream systems without validation

  • Ensure headers that should never be sent from client to server are not reflected back to the client via NextResponse.next, such as Location.

Link to headingCredit

Thanks to Dominik Prodinger at RootSys, and Nicolas Lamoureux and the Latacora team for their responsible disclosure.

Link to headingReferences

Ready to deploy?

Start DeployingTalk to an Expert