High severityOSV Advisory· Published Jun 16, 2025· Updated Jun 16, 2025
SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint
CVE-2025-6087
Description
A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the /_next/image endpoint.
This issue allowed attackers to load remote resources from arbitrary hosts under the victim site’s domain for any site deployed using the Cloudflare adapter for Open Next.
For example:
https://victim-site.com/_next/image?url=https://attacker.com
In this example, attacker-controlled content from attacker.com is served through the victim site’s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.
Impact:
- SSRF via unrestricted remote URL loading
- Arbitrary remote content loading
- Potential internal service exposure or phishing risks through domain abuse
Mitigation:
The following mitigations have been put in place:
- Server side updates to Cloudflare’s platform to restrict the content loaded via the /_next/image endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next
- Root cause fix https://github.com/opennextjs/opennextjs-cloudflare/pull/727 to the Cloudflare adapter for Open Next. The patched version of the adapter is found here @opennextjs/cloudflare@1.3.0 https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.3.0
- Package dependency update https://github.com/cloudflare/workers-sdk/pull/9608 to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare is found here: create-cloudflare@2.49.3 https://www.npmjs.com/package/create-cloudflare/v/2.49.3
In addition to the automatic mitigation deployed on Cloudflare’s platform, we encourage affected users to upgrade to @opennext/cloudflare v1.3.0 and use the remotePatterns https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns filter in Next config https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns if they need to allow-list external urls with images assets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SSRF in @opennextjs/cloudflare allows unauthenticated attackers to proxy arbitrary remote content via /_next/image, violating same-origin policy.
Vulnerability
A Server-Side Request Forgery (SSRF) vulnerability exists in the @opennextjs/cloudflare package, specifically in the Cloudflare adapter for Open Next. The root cause is an unimplemented feature that fails to restrict the /_next/image endpoint, allowing unauthenticated users to proxy arbitrary remote content [3]. This occurs because the adapter does not enforce remotePatterns configuration when fetching external images, as intended by Next.js [4].
Exploitation
An attacker can exploit this by crafting a URL such as https://victim-site.com/_next/image?url=https://attacker.com. No authentication is required, and the request is processed server-side, loading attacker-controlled content under the victim site's domain [3]. This violates the same-origin policy and can be used to serve arbitrary content from any external host.
Impact
Successful exploitation enables SSRF, allowing attackers to load arbitrary remote content through the victim's domain. This can lead to internal service exposure if the server can reach internal networks, and facilitates phishing attacks by making malicious content appear legitimate [3]. The vulnerability also undermines trust in the domain's integrity.
Mitigation
Cloudflare has deployed server-side updates to restrict the /_next/image endpoint to images only, automatically protecting all sites on their platform [3]. The root cause fix is implemented in pull request #727, which enforces remotePatterns using picomatch [2][4]. Users should upgrade to @opennextjs/cloudflare v1.3.0 and create-cloudflare v2.49.3 to apply the fix [1][3].
References
- Install Opennext v1.3.0 by penalosa · Pull Request #9608 · cloudflare/workers-sdk
- Enforce remotePatterns when fetching external images by vicb · Pull Request #727 · opennextjs/opennextjs-cloudflare
- NVD - CVE-2025-6087
- Enforce remotePatterns when fetching external images (#727) · opennextjs/opennextjs-cloudflare@36119c0
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@opennextjs/cloudflarenpm | < 1.3.0 | 1.3.0 |
Affected products
3@opennextjs/cloudflare@0.0.3, @opennextjs/cloudflare@0.1.0, @opennextjs/cloudflare@0.1.1, …+ 1 more
- (no CPE)range: @opennextjs/cloudflare@0.0.3, @opennextjs/cloudflare@0.1.0, @opennextjs/cloudflare@0.1.1, …
- (no CPE)range: <1.3.0
- Range: <2.49.3
Patches
136119c0f490cEnforce remotePatterns when fetching external images (#727)
6 files changed · +419 −40
.changeset/plain-beds-win.md+5 −0 added@@ -0,0 +1,5 @@ +--- +"@opennextjs/cloudflare": minor +--- + +Enforce remotePatterns when fetching external images
packages/cloudflare/package.json+2 −0 modified@@ -64,6 +64,7 @@ "@tsconfig/strictest": "catalog:", "@types/mock-fs": "catalog:", "@types/node": "catalog:", + "@types/picomatch": "^4.0.0", "diff": "^8.0.2", "esbuild": "catalog:", "eslint": "catalog:", @@ -73,6 +74,7 @@ "globals": "catalog:", "mock-fs": "catalog:", "next": "catalog:", + "picomatch": "^4.0.2", "rimraf": "catalog:", "typescript": "catalog:", "typescript-eslint": "catalog:",
packages/cloudflare/src/cli/build/open-next/compile-init.ts+25 −0 modified@@ -1,9 +1,11 @@ +/* eslint-disable @typescript-eslint/no-explicit-any */ import path from "node:path"; import { fileURLToPath } from "node:url"; import { loadConfig } from "@opennextjs/aws/adapters/config/util.js"; import type { BuildOptions } from "@opennextjs/aws/build/helper.js"; import { build } from "esbuild"; +import pm from "picomatch"; /** * Compiles the initialization code for the workerd runtime @@ -16,6 +18,27 @@ export async function compileInit(options: BuildOptions) { const nextConfig = loadConfig(path.join(options.appBuildOutputPath, ".next")); const basePath = nextConfig.basePath ?? ""; + // https://github.com/vercel/next.js/blob/d76f0b13/packages/next/src/build/index.ts#L573 + const nextRemotePatterns = nextConfig.images?.remotePatterns ?? []; + + const remotePatterns = nextRemotePatterns.map((p) => ({ + protocol: p.protocol, + hostname: p.hostname ? pm.makeRe(p.hostname).source : undefined, + port: p.port, + pathname: pm.makeRe(p.pathname ?? "**", { dot: true }).source, + // search is canary only as of June 2025 + search: (p as any).search, + })); + + // Local patterns are only in canary as of June 2025 + const nextLocalPatterns = (nextConfig.images as any)?.localPatterns ?? []; + + // https://github.com/vercel/next.js/blob/d76f0b13/packages/next/src/build/index.ts#L573 + const localPatterns = nextLocalPatterns.map((p: any) => ({ + pathname: pm.makeRe(p.pathname ?? "**", { dot: true }).source, + search: p.search, + })); + await build({ entryPoints: [initPath], outdir: path.join(options.outputDir, "cloudflare"), @@ -27,6 +50,8 @@ export async function compileInit(options: BuildOptions) { define: { __BUILD_TIMESTAMP_MS__: JSON.stringify(Date.now()), __NEXT_BASE_PATH__: JSON.stringify(basePath), + __IMAGES_REMOTE_PATTERNS__: JSON.stringify(remotePatterns), + __IMAGES_LOCAL_PATTERNS__: JSON.stringify(localPatterns), }, }); }
packages/cloudflare/src/cli/templates/init.ts+98 −0 modified@@ -140,11 +140,109 @@ function populateProcessEnv(url: URL, env: CloudflareEnv) { process.env.__NEXT_PRIVATE_ORIGIN = url.origin; } +export type RemotePattern = { + protocol?: "http" | "https"; + hostname: string; + port?: string; + pathname: string; + search?: string; +}; + +const imgRemotePatterns = __IMAGES_REMOTE_PATTERNS__; + +/** + * Fetches an images. + * + * Local images (starting with a '/' as fetched using the passed fetcher). + * Remote images should match the configured remote patterns or a 404 response is returned. + */ +export function fetchImage(fetcher: Fetcher | undefined, url: string) { + // https://github.com/vercel/next.js/blob/d76f0b1/packages/next/src/server/image-optimizer.ts#L208 + if (!url || url.length > 3072 || url.startsWith("//")) { + return new Response("Not Found", { status: 404 }); + } + + // Local + if (url.startsWith("/")) { + if (/\/_next\/image($|\/)/.test(decodeURIComponent(parseUrl(url)?.pathname ?? ""))) { + return new Response("Not Found", { status: 404 }); + } + + return fetcher?.fetch(`http://assets.local${url}`); + } + + // Remote + let hrefParsed: URL; + try { + hrefParsed = new URL(url); + } catch { + return new Response("Not Found", { status: 404 }); + } + + if (!["http:", "https:"].includes(hrefParsed.protocol)) { + return new Response("Not Found", { status: 404 }); + } + + if (!imgRemotePatterns.some((p: RemotePattern) => matchRemotePattern(p, hrefParsed))) { + return new Response("Not Found", { status: 404 }); + } + + return fetch(url, { cf: { cacheEverything: true } }); +} + +export function matchRemotePattern(pattern: RemotePattern, url: URL): boolean { + // https://github.com/vercel/next.js/blob/d76f0b1/packages/next/src/shared/lib/match-remote-pattern.ts + if (pattern.protocol !== undefined) { + if (pattern.protocol.replace(/:$/, "") !== url.protocol.replace(/:$/, "")) { + return false; + } + } + if (pattern.port !== undefined) { + if (pattern.port !== url.port) { + return false; + } + } + + if (pattern.hostname === undefined) { + throw new Error(`Pattern should define hostname but found\n${JSON.stringify(pattern)}`); + } else { + if (!new RegExp(pattern.hostname).test(url.hostname)) { + return false; + } + } + + if (pattern.search !== undefined) { + if (pattern.search !== url.search) { + return false; + } + } + + // Should be the same as writeImagesManifest() + if (!new RegExp(pattern.pathname).test(url.pathname)) { + return false; + } + + return true; +} + +function parseUrl(url: string): URL | undefined { + let parsed: URL | undefined = undefined; + try { + parsed = new URL(url, "http://n"); + } catch { + // empty + } + return parsed; +} + /* eslint-disable no-var */ declare global { // Build timestamp var __BUILD_TIMESTAMP_MS__: number; // Next basePath var __NEXT_BASE_PATH__: string; + // Images patterns + var __IMAGES_REMOTE_PATTERNS__: RemotePattern[]; + var __IMAGES_LOCAL_PATTERNS__: unknown[]; } /* eslint-enable no-var */
packages/cloudflare/src/cli/templates/worker.ts+2 −4 modified@@ -1,5 +1,5 @@ //@ts-expect-error: Will be resolved by wrangler build -import { runWithCloudflareRequestContext } from "./cloudflare/init.js"; +import { fetchImage, runWithCloudflareRequestContext } from "./cloudflare/init.js"; // @ts-expect-error: Will be resolved by wrangler build import { handler as middlewareHandler } from "./middleware/handler.mjs"; @@ -31,9 +31,7 @@ export default { // Fallback for the Next default image loader. if (url.pathname === `${globalThis.__NEXT_BASE_PATH__}/_next/image`) { const imageUrl = url.searchParams.get("url") ?? ""; - return imageUrl.startsWith("/") - ? env.ASSETS?.fetch(`http://assets.local${imageUrl}`) - : fetch(imageUrl, { cf: { cacheEverything: true } }); + return fetchImage(env.ASSETS, imageUrl); } // - `Request`s are handled by the Next server
pnpm-lock.yaml+287 −36 modified@@ -192,7 +192,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/bugs/gh-219: dependencies: @@ -219,7 +219,7 @@ importers: version: 2.1.1 drizzle-orm: specifier: ^0.38.3 - version: 0.38.4(@cloudflare/workers-types@4.20250109.0)(@libsql/client@0.14.0)(@opentelemetry/api@1.9.0)(@prisma/client@6.7.0(prisma@6.7.0(typescript@5.7.3))(typescript@5.7.3))(@types/better-sqlite3@7.6.12)(@types/react@19.0.0)(better-sqlite3@11.8.1)(prisma@6.7.0(typescript@5.7.3))(react@19.0.0) + version: 0.38.4(@cloudflare/workers-types@4.20250109.0)(@libsql/client@0.14.0)(@opentelemetry/api@1.9.0)(@prisma/client@6.7.0(prisma@6.7.0(typescript@5.7.3))(typescript@5.7.3))(@types/better-sqlite3@7.6.12)(@types/react@19.0.0)(better-sqlite3@11.8.1)(knex@3.1.0(better-sqlite3@11.8.1)(pg@8.16.0))(pg@8.16.0)(prisma@6.7.0(typescript@5.7.3))(react@19.0.0) firebase: specifier: ^11.1.0 version: 11.2.0 @@ -420,7 +420,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/e2e/app-pages-router: dependencies: @@ -466,7 +466,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/e2e/app-router: dependencies: @@ -512,7 +512,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/e2e/experimental: dependencies: @@ -546,7 +546,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/e2e/pages-router: dependencies: @@ -592,7 +592,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/e2e/shared: dependencies: @@ -651,7 +651,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/next-partial-prerendering: dependencies: @@ -712,7 +712,7 @@ importers: version: 5.5.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/overrides/d1-tag-next: dependencies: @@ -746,7 +746,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/overrides/memory-queue: dependencies: @@ -780,7 +780,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/overrides/r2-incremental-cache: dependencies: @@ -814,7 +814,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/overrides/static-assets-incremental-cache: dependencies: @@ -848,7 +848,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/playground14: dependencies: @@ -873,7 +873,7 @@ importers: version: 22.2.0 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/playground15: dependencies: @@ -898,7 +898,7 @@ importers: version: 22.2.0 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/prisma: dependencies: @@ -938,7 +938,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/ssg-app: dependencies: @@ -972,7 +972,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) examples/vercel-blog-starter: dependencies: @@ -1027,7 +1027,7 @@ importers: version: 5.7.3 wrangler: specifier: 'catalog:' - version: 4.19.1(@cloudflare/workers-types@4.20250109.0) + version: 4.19.1(@cloudflare/workers-types@4.20250224.0) packages/cloudflare: dependencies: @@ -1065,6 +1065,9 @@ importers: '@types/node': specifier: 'catalog:' version: 22.2.0 + '@types/picomatch': + specifier: ^4.0.0 + version: 4.0.0 diff: specifier: ^8.0.2 version: 8.0.2 @@ -1092,6 +1095,9 @@ importers: next: specifier: 'catalog:' version: 14.2.24(@opentelemetry/api@1.9.0)(@playwright/test@1.51.1)(react-dom@19.0.0(react@19.0.0))(react@19.0.0) + picomatch: + specifier: ^4.0.2 + version: 4.0.2 rimraf: specifier: 'catalog:' version: 6.0.1 @@ -4649,6 +4655,9 @@ packages: '@types/normalize-package-data@2.4.4': resolution: {integrity: sha512-37i+OaWTh9qeK4LSHPsyRC7NahnGotNuZvjLSgcPzblpHB3rrCJxAOgI5gCdKm7coonsaX1Of0ILiTcnZjbfxA==} + '@types/picomatch@4.0.0': + resolution: {integrity: sha512-J1Bng+wlyEERWSgJQU1Pi0HObCLVcr994xT/M+1wcl/yNRTGBupsCxthgkdYG+GCOMaQH7iSVUY3LJVBBqG7MQ==} + '@types/prop-types@15.7.12': resolution: {integrity: sha512-5zvhXYtRNRluoE/jAp4GVsSduVUzNWKkOZrCDBWYtE7biZywwdC2AcEzg+cSMLFRfVgeAFqpfNabiPjxFddV1Q==} @@ -5290,13 +5299,20 @@ packages: resolution: {integrity: sha512-1rXeuUUiGGrykh+CeBdu5Ie7OJwinCgQY0bc7GCRxy5xVHy+moaqkpL/jqQq0MtQOeYcrqEz4abc5f0KtU7W4A==} engines: {node: '>=12.5.0'} + colorette@2.0.19: + resolution: {integrity: sha512-3tlv/dIP7FWvj3BsbHrGLJ6l/oKh1O3TcgBqMn+yyCagOxc23fyzDS6HypQbgxWbkpDnf52p1LuR4eWDQ/K9WQ==} + combined-stream@1.0.8: resolution: {integrity: sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==} engines: {node: '>= 0.8'} comma-separated-tokens@2.0.3: resolution: {integrity: sha512-Fu4hJdvzeylCfQPp9SGWidpzrMs7tTrlu6Vb8XGaRGck8QSNZJJp538Wrb60Lax4fPwR64ViY468OIUTbRlGZg==} + commander@10.0.1: + resolution: {integrity: sha512-y4Mg2tXshplEbSGzx7amzPwKKOCGuoSRP/CjEdwwk0FOGlUbq6lKuoyDZTNZkmxHdJtp54hdfY/JUrdL7Xfdug==} + engines: {node: '>=14'} + commander@11.1.0: resolution: {integrity: sha512-yPVavfyCcRhmorC7rWlkHn15b4wDVgVmBA7kV4QVBsF7kv/9TKJAbAXVTxvTnwP8HHKjRCJDClKbciiYS7p0DQ==} engines: {node: '>=16'} @@ -6142,6 +6158,10 @@ packages: jiti: optional: true + esm@3.2.25: + resolution: {integrity: sha512-U1suiZ2oDVWv4zPO56S0NcR5QriEahGtdN2OR6FiOG4WJvcjBVFB0qI4+eKoWFH483PKGuLuu6V8Z4T5g63UVA==} + engines: {node: '>=6'} + espree@10.1.0: resolution: {integrity: sha512-M1M6CpiE6ffoigIOWYO9UDP8TMUw9kqb21tf+08IgDYjCsOvCuDt4jQcZmoYxx+w7zlKw9/N0KXfto+I8/FrXA==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} @@ -6436,6 +6456,10 @@ packages: resolution: {integrity: sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==} engines: {node: '>= 0.4'} + get-package-type@0.1.0: + resolution: {integrity: sha512-pjzuKtY64GYfWizNAJ0fr9VqttZkNiK2iS430LtIHzjBEr6bX8Am2zm4sW4Ro5wjWW5cAlRL1qAMTcXbjNAO2Q==} + engines: {node: '>=8.0.0'} + get-proto@1.0.1: resolution: {integrity: sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==} engines: {node: '>= 0.4'} @@ -6458,6 +6482,9 @@ packages: get-tsconfig@4.8.0: resolution: {integrity: sha512-Pgba6TExTZ0FJAn1qkJAjIeKoDJ3CsI2ChuLohJnZl/tTU8MVrq3b+2t5UOPfRa4RMsorClBjJALkJUMjG1PAw==} + getopts@2.3.0: + resolution: {integrity: sha512-5eDf9fuSXwxBL6q5HX+dhDj+dslFGWzU5thZ9kNKUkcPtaPdatmUFKwHFrLb/uf/WpA4BHET+AX3Scl56cAjpA==} + github-from-package@0.0.0: resolution: {integrity: sha512-SyHy3T1v2NUXn29OsWdxmK6RwHD+vkj3v8en8AOBZ1wBQ/hCAQ5bAQTD02kW4W9tUp/3Qh6J8r9EvntiyCmOOw==} @@ -6687,6 +6714,10 @@ packages: resolution: {integrity: sha512-4gd7VpWNQNB4UKKCFFVcp1AVv+FMOgs9NKzjHKusc8jTMhd5eL1NqQqOpE0KzMds804/yHlglp3uxgluOqAPLw==} engines: {node: '>= 0.4'} + interpret@2.2.0: + resolution: {integrity: sha512-Ju0Bz/cEia55xDwUWEa8+olFpCiQoypjnQySseKtmjNrnps3P+xfpUmGr90T7yjlVJmOtybRvPXhKMbHr+fWnw==} + engines: {node: '>= 0.10'} + ipaddr.js@1.9.1: resolution: {integrity: sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==} engines: {node: '>= 0.10'} @@ -7012,6 +7043,34 @@ packages: resolution: {integrity: sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==} engines: {node: '>=0.10.0'} + knex@3.1.0: + resolution: {integrity: sha512-GLoII6hR0c4ti243gMs5/1Rb3B+AjwMOfjYm97pu0FOQa7JH56hgBxYf5WK2525ceSbBY1cjeZ9yk99GPMB6Kw==} + engines: {node: '>=16'} + hasBin: true + peerDependencies: + better-sqlite3: '*' + mysql: '*' + mysql2: '*' + pg: '*' + pg-native: '*' + sqlite3: '*' + tedious: '*' + peerDependenciesMeta: + better-sqlite3: + optional: true + mysql: + optional: true + mysql2: + optional: true + pg: + optional: true + pg-native: + optional: true + sqlite3: + optional: true + tedious: + optional: true + ky@1.7.5: resolution: {integrity: sha512-HzhziW6sc5m0pwi5M196+7cEBtbt0lCYi67wNsiwMUmz833wloE0gbzJPWKs1gliFKQb34huItDQX97LyOdPdA==} engines: {node: '>=18'} @@ -7029,7 +7088,6 @@ packages: libsql@0.4.7: resolution: {integrity: sha512-T9eIRCs6b0J1SHKYIvD8+KCJMcWZ900iZyxdnSCdqxN12Z1ijzT+jY5nrk72Jw4B0HGzms2NgpryArlJqvc3Lw==} - cpu: [x64, arm64, wasm32] os: [darwin, linux, win32] lilconfig@2.1.0: @@ -7094,6 +7152,9 @@ packages: lodash.startcase@4.4.0: resolution: {integrity: sha512-+WKqsK294HMSc2jEbNgpHpd0JfIBhp7rEV4aqXWqFr6AlXov+SlcgB1Fv01y2kGe3Gc8nMW7VA0SrGuSkRfIEg==} + lodash@4.17.21: + resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==} + log-symbols@6.0.0: resolution: {integrity: sha512-i24m8rpwhmPIS4zscNzK6MSEhk0DUWa/8iYQWxhffV8jkI4Phvs3F+quL5xvS0gdQR0FyTCMMH33Y78dDTzzIw==} engines: {node: '>=18'} @@ -7903,6 +7964,43 @@ packages: pend@1.2.0: resolution: {integrity: sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg==} + pg-cloudflare@1.2.5: + resolution: {integrity: sha512-OOX22Vt0vOSRrdoUPKJ8Wi2OpE/o/h9T8X1s4qSkCedbNah9ei2W2765be8iMVxQUsvgT7zIAT2eIa9fs5+vtg==} + + pg-connection-string@2.6.2: + resolution: {integrity: sha512-ch6OwaeaPYcova4kKZ15sbJ2hKb/VP48ZD2gE7i1J+L4MspCtBMAx8nMgz7bksc7IojCIIWuEhHibSMFH8m8oA==} + + pg-connection-string@2.9.0: + resolution: {integrity: sha512-P2DEBKuvh5RClafLngkAuGe9OUlFV7ebu8w1kmaaOgPcpJd1RIFh7otETfI6hAR8YupOLFTY7nuvvIn7PLciUQ==} + + pg-int8@1.0.1: + resolution: {integrity: sha512-WCtabS6t3c8SkpDBUlb1kjOs7l66xsGdKpIPZsg4wR+B3+u9UAum2odSsF9tnvxg80h4ZxLWMy4pRjOsFIqQpw==} + engines: {node: '>=4.0.0'} + + pg-pool@3.10.0: + resolution: {integrity: sha512-DzZ26On4sQ0KmqnO34muPcmKbhrjmyiO4lCCR0VwEd7MjmiKf5NTg/6+apUEu0NF7ESa37CGzFxH513CoUmWnA==} + peerDependencies: + pg: '>=8.0' + + pg-protocol@1.10.0: + resolution: {integrity: sha512-IpdytjudNuLv8nhlHs/UrVBhU0e78J0oIS/0AVdTbWxSOkFUVdsHC/NrorO6nXsQNDTT1kzDSOMJubBQviX18Q==} + + pg-types@2.2.0: + resolution: {integrity: sha512-qTAAlrEsl8s4OiEQY69wDvcMIdQN6wdz5ojQiOy6YRMuynxenON0O5oCpJI6lshc6scgAY8qvJ2On/p+CXY0GA==} + engines: {node: '>=4'} + + pg@8.16.0: + resolution: {integrity: sha512-7SKfdvP8CTNXjMUzfcVTaI+TDzBEeaUnVwiVGZQD1Hh33Kpev7liQba9uLd4CfN8r9mCVsD0JIpq03+Unpz+kg==} + engines: {node: '>= 8.0.0'} + peerDependencies: + pg-native: '>=3.0.1' + peerDependenciesMeta: + pg-native: + optional: true + + pgpass@1.0.5: + resolution: {integrity: sha512-FdW9r/jQZhSeohs1Z3sI1yxFQNFvMcnmfuj4WBMUTxOrAyLMaTcE1aAMBiTlbMNaXvBCQuVi0R7hd8udDSP7ug==} + picocolors@1.0.0: resolution: {integrity: sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==} @@ -8025,6 +8123,22 @@ packages: resolution: {integrity: sha512-dle9A3yYxlBSrt8Fu+IpjGT8SY8hN0mlaA6GY8t0P5PjIOZemULz/E2Bnm/2dcUOena75OTNkHI76uZBNUUq3A==} engines: {node: ^10 || ^12 || >=14} + postgres-array@2.0.0: + resolution: {integrity: sha512-VpZrUqU5A69eQyW2c5CA1jtLecCsN2U/bD6VilrFDWq5+5UIEVO7nazS3TEcHf1zuPYO/sqGvUvW62g86RXZuA==} + engines: {node: '>=4'} + + postgres-bytea@1.0.0: + resolution: {integrity: sha512-xy3pmLuQqRBZBXDULy7KbaitYqLcmxigw14Q5sj8QBVLqEwXfeybIKVWiqAXTlcvdvb0+xkOtDbfQMOf4lST1w==} + engines: {node: '>=0.10.0'} + + postgres-date@1.0.7: + resolution: {integrity: sha512-suDmjLVQg78nMK2UZ454hAG+OAW+HQPZ6n++TNDUX+L0+uUlLywnoxJKDou51Zm+zTCjrCl0Nq6J9C5hP9vK/Q==} + engines: {node: '>=0.10.0'} + + postgres-interval@1.2.0: + resolution: {integrity: sha512-9ZhXKM/rw350N1ovuWHbGxnGh/SNJ4cnxHiM0rxE4VN41wsg8P8zWn9hv/buK00RP4WvlOyr/RBDiptyxVbkZQ==} + engines: {node: '>=0.10.0'} + preact-render-to-string@5.2.6: resolution: {integrity: sha512-JyhErpYOvBV1hEPwIxc/fHWXPfnEGdRKxc8gFdAZ7XV4tlzyzG847XAyEZqoDnynP88akM4eaHcSOzNcLWFguw==} peerDependencies: @@ -8218,6 +8332,10 @@ packages: resolution: {integrity: sha512-h80JrZu/MHUZCyHu5ciuoI0+WxsCxzxJTILn6Fs8rxSnFPh+UVHYfeIxK1nVGugMqkfC4vJcBOYbkfkwYK0+gw==} engines: {node: '>= 14.18.0'} + rechoir@0.8.0: + resolution: {integrity: sha512-/vxpCXddiX8NGfGO/mTafwjq4aFa/71pvamip0++IQk3zG8cbCj0fifNPrjjF1XMXUne91jL9OoxmdykoEtifQ==} + engines: {node: '>= 10.13.0'} + reflect.getprototypeof@1.0.10: resolution: {integrity: sha512-00o4I+DVrefhv+nX0ulyi3biSHCPDe+yLv5o/p6d/UVlirijB8E16FtfwSAi4g3tcqrQ4lRAqQSoFEZJehYEcw==} engines: {node: '>= 0.4'} @@ -8526,6 +8644,10 @@ packages: resolution: {integrity: sha512-qxQJTx2ryR0Dw0ITYyekNQWpz6f8dGd7vffGNflQQ3Iqj9NJ6qiZ7ELpZsJ/QBhIVAiDfXdag3+Gp8RvWa62AA==} engines: {node: '>=12'} + split2@4.2.0: + resolution: {integrity: sha512-UcjcJOWknrNkF6PLX83qcHM6KHgVKNkV62Y8a5uYDVv9ydGQVwAHMKqHdJje1VTWpljG0WYpCDhrCdAOYH4TWg==} + engines: {node: '>= 10.x'} + sprintf-js@1.0.3: resolution: {integrity: sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==} @@ -8757,6 +8879,10 @@ packages: resolution: {integrity: sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==} engines: {node: '>=18'} + tarn@3.0.2: + resolution: {integrity: sha512-51LAVKUSZSVfI05vjPESNc5vwqqZpbXCsU+/+wxlOrUjk2SnFTt97v9ZgQrD4YmxYW1Px6w2KjaDitCfkvgxMQ==} + engines: {node: '>=8.0.0'} + teeny-request@9.0.0: resolution: {integrity: sha512-resvxdc6Mgb7YEThw6G6bExlXKkv6+YbuzGg9xuXxSgxJF7Ozs+o8Y9+2R3sArdWdW8nOokoQb1yrpFB0pQK2g==} engines: {node: '>=14'} @@ -8780,6 +8906,10 @@ packages: thenify@3.3.1: resolution: {integrity: sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw==} + tildify@2.0.0: + resolution: {integrity: sha512-Cc+OraorugtXNfs50hU9KS369rFXCfgGLpfCfvlc+Ud5u6VWmUQsOAa9HbTvheQdYnrdJqqv1e5oIqXppMYnSw==} + engines: {node: '>=8'} + time-span@4.0.0: resolution: {integrity: sha512-MyqZCTGLDZ77u4k+jqg4UlrzPTPZ49NDlaekU6uuFaJLzPIN1woaRXCbGeqOfxwc3Y37ZROGAJ614Rdv7Olt+g==} engines: {node: '>=10'} @@ -9271,6 +9401,10 @@ packages: resolution: {integrity: sha512-sqMMuL1rc0FmMBOzCpd0yuy9trqF2yTTVe+E9ogwCSWQCdDEtQUwrZPT6AxqtsFGRNxycgncbP/xmOOSPw5ZUw==} engines: {node: '>= 6.0'} + xtend@4.0.2: + resolution: {integrity: sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==} + engines: {node: '>=0.4'} + y18n@5.0.8: resolution: {integrity: sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==} engines: {node: '>=10'} @@ -9285,11 +9419,6 @@ packages: resolution: {integrity: sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==} engines: {node: '>=18'} - yaml@2.7.0: - resolution: {integrity: sha512-+hSoy/QHluxmC9kCIJyL/uyFmLmc+e5CFR5Wa+bpIhIj85LVb9ZH2nVnqrHoSvKogwODv0ClqZkmiSSaIH5LTA==} - engines: {node: '>= 14'} - hasBin: true - yaml@2.7.1: resolution: {integrity: sha512-10ULxpnOCQXxJvBgxsn9ptjq6uviG/htZKk9veJGhlqn3w/DxQ631zFF+nlQXLwmImeS5amR2dl2U8sg6U9jsQ==} engines: {node: '>= 14'} @@ -11570,7 +11699,7 @@ snapshots: '@eslint/config-array@0.19.2': dependencies: '@eslint/object-schema': 2.1.6 - debug: 4.3.6 + debug: 4.4.0 minimatch: 3.1.2 transitivePeerDependencies: - supports-color @@ -11588,7 +11717,7 @@ snapshots: '@eslint/eslintrc@2.1.4': dependencies: ajv: 6.12.6 - debug: 4.3.6 + debug: 4.4.0 espree: 9.6.1 globals: 13.24.0 ignore: 5.3.2 @@ -11616,7 +11745,7 @@ snapshots: '@eslint/eslintrc@3.2.0': dependencies: ajv: 6.12.6 - debug: 4.3.6 + debug: 4.4.0 espree: 10.3.0 globals: 14.0.0 ignore: 5.3.2 @@ -12062,7 +12191,7 @@ snapshots: '@humanwhocodes/config-array@0.13.0': dependencies: '@humanwhocodes/object-schema': 2.0.3 - debug: 4.3.6 + debug: 4.4.0 minimatch: 3.1.2 transitivePeerDependencies: - supports-color @@ -13934,6 +14063,8 @@ snapshots: '@types/normalize-package-data@2.4.4': {} + '@types/picomatch@4.0.0': {} + '@types/prop-types@15.7.12': {} '@types/qs@6.9.18': {} @@ -14843,13 +14974,19 @@ snapshots: color-convert: 2.0.1 color-string: 1.9.1 + colorette@2.0.19: + optional: true + combined-stream@1.0.8: dependencies: delayed-stream: 1.0.0 optional: true comma-separated-tokens@2.0.3: {} + commander@10.0.1: + optional: true + commander@11.1.0: {} commander@2.20.3: {} @@ -15074,7 +15211,7 @@ snapshots: transitivePeerDependencies: - supports-color - drizzle-orm@0.38.4(@cloudflare/workers-types@4.20250109.0)(@libsql/client@0.14.0)(@opentelemetry/api@1.9.0)(@prisma/client@6.7.0(prisma@6.7.0(typescript@5.7.3))(typescript@5.7.3))(@types/better-sqlite3@7.6.12)(@types/react@19.0.0)(better-sqlite3@11.8.1)(prisma@6.7.0(typescript@5.7.3))(react@19.0.0): + drizzle-orm@0.38.4(@cloudflare/workers-types@4.20250109.0)(@libsql/client@0.14.0)(@opentelemetry/api@1.9.0)(@prisma/client@6.7.0(prisma@6.7.0(typescript@5.7.3))(typescript@5.7.3))(@types/better-sqlite3@7.6.12)(@types/react@19.0.0)(better-sqlite3@11.8.1)(knex@3.1.0(better-sqlite3@11.8.1)(pg@8.16.0))(pg@8.16.0)(prisma@6.7.0(typescript@5.7.3))(react@19.0.0): optionalDependencies: '@cloudflare/workers-types': 4.20250109.0 '@libsql/client': 0.14.0 @@ -15083,6 +15220,8 @@ snapshots: '@types/better-sqlite3': 7.6.12 '@types/react': 19.0.0 better-sqlite3: 11.8.1 + knex: 3.1.0(better-sqlite3@11.8.1)(pg@8.16.0) + pg: 8.16.0 prisma: 6.7.0(typescript@5.7.3) react: 19.0.0 @@ -16193,6 +16332,9 @@ snapshots: transitivePeerDependencies: - supports-color + esm@3.2.25: + optional: true + espree@10.1.0: dependencies: acorn: 8.14.0 @@ -16330,7 +16472,7 @@ snapshots: '@nodelib/fs.walk': 1.2.8 glob-parent: 5.1.2 merge2: 1.4.1 - micromatch: 4.0.7 + micromatch: 4.0.8 fast-glob@3.3.2: dependencies: @@ -16602,6 +16744,9 @@ snapshots: hasown: 2.0.2 math-intrinsics: 1.1.0 + get-package-type@0.1.0: + optional: true + get-proto@1.0.1: dependencies: dunder-proto: 1.0.1 @@ -16628,6 +16773,9 @@ snapshots: dependencies: resolve-pkg-maps: 1.0.0 + getopts@2.3.0: + optional: true + github-from-package@0.0.0: {} glob-parent@5.1.2: @@ -16919,6 +17067,9 @@ snapshots: hasown: 2.0.2 side-channel: 1.1.0 + interpret@2.2.0: + optional: true + ipaddr.js@1.9.1: {} is-arguments@1.1.1: @@ -17263,6 +17414,29 @@ snapshots: kind-of@6.0.3: {} + knex@3.1.0(better-sqlite3@11.8.1)(pg@8.16.0): + dependencies: + colorette: 2.0.19 + commander: 10.0.1 + debug: 4.3.4 + escalade: 3.2.0 + esm: 3.2.25 + get-package-type: 0.1.0 + getopts: 2.3.0 + interpret: 2.2.0 + lodash: 4.17.21 + pg-connection-string: 2.6.2 + rechoir: 0.8.0 + resolve-from: 5.0.0 + tarn: 3.0.2 + tildify: 2.0.0 + optionalDependencies: + better-sqlite3: 11.8.1 + pg: 8.16.0 + transitivePeerDependencies: + - supports-color + optional: true + ky@1.7.5: {} language-subtag-registry@0.3.23: {} @@ -17331,6 +17505,9 @@ snapshots: lodash.startcase@4.4.0: {} + lodash@4.17.21: + optional: true + log-symbols@6.0.0: dependencies: chalk: 5.3.0 @@ -18258,6 +18435,51 @@ snapshots: pend@1.2.0: {} + pg-cloudflare@1.2.5: + optional: true + + pg-connection-string@2.6.2: + optional: true + + pg-connection-string@2.9.0: + optional: true + + pg-int8@1.0.1: + optional: true + + pg-pool@3.10.0(pg@8.16.0): + dependencies: + pg: 8.16.0 + optional: true + + pg-protocol@1.10.0: + optional: true + + pg-types@2.2.0: + dependencies: + pg-int8: 1.0.1 + postgres-array: 2.0.0 + postgres-bytea: 1.0.0 + postgres-date: 1.0.7 + postgres-interval: 1.2.0 + optional: true + + pg@8.16.0: + dependencies: + pg-connection-string: 2.9.0 + pg-pool: 3.10.0(pg@8.16.0) + pg-protocol: 1.10.0 + pg-types: 2.2.0 + pgpass: 1.0.5 + optionalDependencies: + pg-cloudflare: 1.2.5 + optional: true + + pgpass@1.0.5: + dependencies: + split2: 4.2.0 + optional: true + picocolors@1.0.0: {} picocolors@1.0.1: {} @@ -18319,31 +18541,31 @@ snapshots: postcss-load-config@4.0.2(postcss@8.5.1)(ts-node@10.9.1(@types/node@20.14.10)(typescript@5.5.3)): dependencies: lilconfig: 3.1.2 - yaml: 2.7.0 + yaml: 2.7.1 optionalDependencies: postcss: 8.5.1 ts-node: 10.9.1(@types/node@20.14.10)(typescript@5.5.3) postcss-load-config@4.0.2(postcss@8.5.1)(ts-node@10.9.1(@types/node@20.17.6)(typescript@5.7.3)): dependencies: lilconfig: 3.1.2 - yaml: 2.7.0 + yaml: 2.7.1 optionalDependencies: postcss: 8.5.1 ts-node: 10.9.1(@types/node@20.17.6)(typescript@5.7.3) postcss-load-config@4.0.2(postcss@8.5.1)(ts-node@10.9.1(@types/node@22.12.0)(typescript@5.7.3)): dependencies: lilconfig: 3.1.2 - yaml: 2.7.0 + yaml: 2.7.1 optionalDependencies: postcss: 8.5.1 ts-node: 10.9.1(@types/node@22.12.0)(typescript@5.7.3) postcss-load-config@4.0.2(postcss@8.5.1)(ts-node@10.9.1(@types/node@22.2.0)(typescript@5.7.3)): dependencies: lilconfig: 3.1.2 - yaml: 2.7.0 + yaml: 2.7.1 optionalDependencies: postcss: 8.5.1 ts-node: 10.9.1(@types/node@22.2.0)(typescript@5.7.3) @@ -18401,6 +18623,20 @@ snapshots: picocolors: 1.1.1 source-map-js: 1.2.1 + postgres-array@2.0.0: + optional: true + + postgres-bytea@1.0.0: + optional: true + + postgres-date@1.0.7: + optional: true + + postgres-interval@1.2.0: + dependencies: + xtend: 4.0.2 + optional: true + preact-render-to-string@5.2.6(preact@10.25.4): dependencies: preact: 10.25.4 @@ -18617,6 +18853,11 @@ snapshots: readdirp@4.1.1: {} + rechoir@0.8.0: + dependencies: + resolve: 1.22.10 + optional: true + reflect.getprototypeof@1.0.10: dependencies: call-bind: 1.0.8 @@ -19067,6 +19308,9 @@ snapshots: split-on-first@3.0.0: {} + split2@4.2.0: + optional: true + sprintf-js@1.0.3: {} stackback@0.0.2: {} @@ -19458,6 +19702,9 @@ snapshots: mkdirp: 3.0.1 yallist: 5.0.0 + tarn@3.0.2: + optional: true + teeny-request@9.0.0: dependencies: http-proxy-agent: 5.0.0 @@ -19489,6 +19736,9 @@ snapshots: dependencies: any-promise: 1.3.0 + tildify@2.0.0: + optional: true + time-span@4.0.0: dependencies: convert-hrtime: 3.0.0 @@ -20113,6 +20363,9 @@ snapshots: dependencies: os-paths: 4.4.0 + xtend@4.0.2: + optional: true + y18n@5.0.8: {} yallist@3.1.1: {} @@ -20121,8 +20374,6 @@ snapshots: yallist@5.0.0: {} - yaml@2.7.0: {} - yaml@2.7.1: {} yargs-parser@21.1.1: {}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-rvpw-p7vw-wj3mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-6087ghsaADVISORY
- github.com/cloudflare/workers-sdk/pull/9608ghsaWEB
- github.com/opennextjs/opennextjs-cloudflare/commit/36119c0f490c95b3d4f6e826d745b728c80625abghsaWEB
- github.com/opennextjs/opennextjs-cloudflare/pull/727ghsaWEB
- github.com/opennextjs/opennextjs-cloudflare/security/advisories/GHSA-rvpw-p7vw-wj3mghsaWEB
News mentions
0No linked articles in our index yet.