CVE-2025-57822

Medium CVSS: 6.5

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

Vendor

Vercel

Product

Next.js

CWE

CWE-918

Yayın Tarihi

2025-08-29 22:15:32

Güncelleme

2025-09-08 16:41:41

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-918 Next.js MEDIUM Vercel 2025

Referanslar

https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8 https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f https://vercel.com/changelog/cve-2025-57822

Benzer Kayıtlar

Medium

CVE-2026-29057

Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 1…

Medium

CVE-2026-27979

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1…

Medium

CVE-2026-27980

Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 1…

Medium

CVE-2026-27978

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1…

Low

CVE-2026-27977

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1…

Medium

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in min…