CVE-2025-57822
August 29, 2025
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js Middleware versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
Affected Packages
https://github.com/vercel/next.js.git (GITHUB):
Affected version(s) >=v7.0.2-alpha.0 <v14.2.32Fix Suggestion:
Update to version v14.2.32https://github.com/vercel/next.js.git (GITHUB):
Affected version(s) >=v15.0.0-canary.0 <v15.4.7Fix Suggestion:
Update to version v15.4.7next (NPM):
Affected version(s) >=0.9.9 <14.2.32Fix Suggestion:
Update to version 14.2.32next (NPM):
Affected version(s) >=0.1.0 <14.2.32Fix Suggestion:
Update to version 14.2.32next (NPM):
Affected version(s) >=15.0.0-canary.0 <15.4.7Fix Suggestion:
Update to version 15.4.7Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Server-Side Request Forgery (SSRF)
EPSS
Base Score:
4.3
