SSRF Vulnerability in Next.js Framework Affects Vercel Products
CVE-2025-57822

6.5MEDIUM

Key Information:

Vendor: Vercel
Status: Next.js
Vendor: CVE Published:; 29 August 2025

What is CVE-2025-57822?

CVE-2025-57822 is a security vulnerability within the Next.js framework, commonly used for building full-stack web applications. This vulnerability arises when the next() function is invoked without explicitly passing the request object, presenting a potential Server-Side Request Forgery (SSRF) risk in self-hosted applications. Such SSRF vulnerabilities can permit unauthorized requests to internal services or endpoints, compromising the security of the affected application and potentially exposing sensitive data. The flaw has been addressed in the updated Next.js versions 14.2.32 and 15.4.7, and users employing custom middleware logic in self-hosted environments are strongly recommended to upgrade and ensure proper implementation of the next() function to mitigate this risk.

Potential Impact of CVE-2025-57822

Unauthorized Internal Service Access: Attackers may exploit this vulnerability to send requests to internal services, potentially leading to data leaks or unauthorized actions within the network, thus compromising the overall security posture of the organization.
Exposure of Sensitive Information: By leveraging SSRF, threat actors could gain access to sensitive internal resources, including databases or APIs, which may contain confidential or customer data, resulting in serious data privacy violations and regulatory repercussions.
Increased Attack Surface: The existence of this vulnerability in widely used applications increases the attack surface available to cybercriminals. Organizations that do not swiftly address this issue may find themselves targets for more elaborate attacks, possibly leading to further compromise or lateral movement within their networks.