Plattform
nodejs
Komponente
@opennextjs/cloudflare
Behoben in
1.3.0
1.17.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the @opennextjs/cloudflare package, specifically affecting versions 1.0.0 through 1.2.9. This vulnerability allows unauthenticated users to proxy arbitrary remote content through the /_next/image endpoint, enabling attackers to load resources from external hosts under the victim site's domain. The issue arises from an unimplemented feature in the Cloudflare adapter for Open Next. A fix is available in version 1.3.0.
The SSRF vulnerability in @opennextjs/cloudflare allows attackers to load remote resources from arbitrary hosts under the victim site’s domain. This can be exploited to access internal resources that are not publicly accessible, potentially exposing sensitive data or allowing attackers to interact with internal services. For example, an attacker could craft a URL like https://victim-site.com/_next/image?url=https://attacker.com to load content from their own server, effectively using the victim site as a proxy. The impact is amplified if the victim site has access to sensitive internal APIs or databases, as the attacker could potentially use the SSRF vulnerability to interact with these resources.
CVE-2025-6087 was publicly disclosed on 2025-06-16. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation and the public disclosure.
Sites using the @opennextjs/cloudflare package versions 1.0.0 through 1.2.9, particularly those deployed on Cloudflare, are at risk. Shared hosting environments that utilize this package are especially vulnerable due to the ease of exploitation and potential for widespread impact.
• nodejs / supply-chain:
npm list @opennextjs/cloudflare• generic web:
curl -I https://your-site.com/_next/image?url=https://evil.comInspect the response headers and content to see if the request is being proxied.
disclosure
Exploit-Status
EPSS
0.23% (45% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-6087 is to upgrade to version 1.3.0 of the @opennextjs/cloudflare package. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /_next/image endpoint with arbitrary URLs. Additionally, restrict network access to the Cloudflare adapter to only trusted internal resources. Monitor access logs for suspicious requests to the /next/image endpoint originating from unexpected sources. After upgrading, confirm the vulnerability is resolved by attempting to access a known malicious URL through the /next/image endpoint and verifying that the request is blocked or fails.
Aktualisieren Sie das @opennextjs/cloudflare-Paket auf Version 1.3.0 oder höher. Verwenden Sie zusätzlich die Option `remotePatterns` in der Next.js-Konfiguration, um explizit die externen URLs zuzulassen, von denen Bilder geladen werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-6087 is a Server-Side Request Forgery vulnerability in the @opennextjs/cloudflare package, allowing unauthenticated users to proxy requests through the /_next/image endpoint.
You are affected if you are using @opennextjs/cloudflare versions 1.0.0 through 1.2.9. Upgrade to 1.3.0 to resolve the issue.
Upgrade to version 1.3.0 of the @opennextjs/cloudflare package. As a temporary workaround, implement a WAF rule to block suspicious requests.
There is currently no confirmed active exploitation, but public PoCs are likely to emerge.
Refer to the @opennextjs project's official advisory channels for updates and further information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.