SSRF Vulnerability in Next.js Framework Affects Vercel Products
CVE-2025-57822

6.5MEDIUM

Key Information:

Vendor

Vercel
Status
Next.js
Vendor
CVE Published:
29 August 2025

What is CVE-2025-57822?

Next.js, a popular React framework, has a vulnerability that occurs when the next() function is used without explicitly passing a request object. This can lead to Server-Side Request Forgery (SSRF) in self-hosted applications, particularly if they incorrectly forward user-supplied headers. To mitigate this risk, it is essential for users employing custom middleware logic in self-hosted environments to upgrade to Next.js Middleware versions 14.2.32 and 15.4.7, and to verify the proper use of the next() function in their applications.

Affected Version(s)

next.js < 14.2.32 < 14.2.32

next.js < 15.4.7 < 15.4.7

References

https://github.com/vercel/next.js/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef...
x_refsource_MISC
https://vercel.com/changelog/cve-2025-57822
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-57822 : SSRF Vulnerability in Next.js Framework Affects Vercel Products