VYPR
Moderate severityNVD Advisory· Published Aug 29, 2025· Updated Sep 2, 2025

Next.js Improper Middleware Redirect Handling Leads to SSRF

CVE-2025-57822

Description

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nextnpm
>= 0.9.9, < 14.2.3214.2.32
nextnpm
>= 15.0.0-canary.0, < 15.4.715.4.7

Affected products

14

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.