logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-6087 @opennextjs/cloudflare

Package

Manager: npm
Name: @opennextjs/cloudflare
Vulnerable Version: >=0 <1.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N

EPSS: 0.00108 pctl0.29631

Details

OpenNext for Cloudflare (opennextjs-cloudflare) has a SSRF vulnerability via /_next/image endpoint A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the `/_next/image` endpoint. This issue allowed attackers to load remote resources from arbitrary hosts under the victim site’s domain for any site deployed using the Cloudflare adapter for Open Next. For example: `https://victim-site.com/_next/image?url=https://attacker.com`. In this example, attacker-controlled content from attacker.com is served through the victim site’s domain (`victim-site.com`), violating the same-origin policy and potentially misleading users or other services. ### Impact - SSRF via unrestricted remote URL loading - Arbitrary remote content loading - Potential internal service exposure or phishing risks through domain abuse ### Mitigation The following mitigations have been put in place: **Server side updates** to Cloudflare’s platform to restrict the content loaded via the `/_next/image` endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next **Root cause fix**: Pull request https://github.com/opennextjs/opennextjs-cloudflare/pull/727 to the Cloudflare adapter for Open Next. The patched version of the adapter is found here [@opennextjs/cloudflare@1.3.0](https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.3.0) **Package dependency update**: Pull request https://github.com/cloudflare/workers-sdk/pull/9608 to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare is found at [create-cloudflare@2.49.3](https://www.npmjs.com/package/create-cloudflare/v/2.49.3). In addition to the automatic mitigation deployed on Cloudflare’s platform, we encourage affected users to upgrade to @opennext/cloudflare v1.3.0 and use the [remotePatterns](https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns) filter in Next config if they need to allow-list external urls with images assets. ### Credits Disclosed responsibly by security researcher Edward Coristine. Thank you for the report. ### References https://www.cve.org/cverecord?id=CVE-2025-6087

Metadata

Created: 2025-06-16T19:37:16Z
Modified: 2025-06-16T21:46:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-rvpw-p7vw-wj3m/GHSA-rvpw-p7vw-wj3m.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-rvpw-p7vw-wj3m
Finding: F100
Auto approve: 1