Platform
nodejs
Component
next
Fixed in
12.3.6
13.5.10
14.2.26
15.2.4
12.3.6
CVE-2025-30218 is a Server-Side Request Forgery (SSRF) vulnerability discovered within Next.js Middleware during remediation efforts for CVE-2025-29927. This vulnerability allows an attacker to potentially trigger unintended server-side requests, potentially leading to information disclosure or access to internal resources. The vulnerability impacts Next.js versions 12.3.5 and earlier, and a fix is available in version 12.3.6.
The SSRF vulnerability in Next.js Middleware allows an attacker to craft malicious requests that the server will execute on their behalf. This could lead to unintended access to internal services or resources that are not directly exposed to the internet. While the CVSS score is LOW (2.5), successful exploitation could reveal sensitive information or be a stepping stone for further attacks, especially in environments with complex internal network configurations. The potential impact is amplified if the Middleware is used to proxy requests to internal APIs or databases, as an attacker could potentially bypass access controls and gain unauthorized access.
This vulnerability was independently verified by Vercel alongside reports from researchers Jinseo Kim and RyotaK (GMO Flatt Security Inc.). Public proof-of-concept code is not currently available, but the vulnerability has been disclosed. It was published on April 2, 2025. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.21% (42% percentile)
CISA SSVC
The primary mitigation for CVE-2025-30218 is to upgrade to Next.js version 12.3.6 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing strict input validation and sanitization on any URLs passed to the Middleware. Additionally, configure your firewall or proxy to restrict outbound connections from the Next.js server to only trusted destinations. Monitor your server logs for unusual outbound requests that might indicate exploitation attempts.
Update Next.js to version 12.3.6, 13.5.10, 14.2.26, or 15.2.4, or a later version. This will correct the vulnerability that leaks the x-middleware-subrequest-id to external hosts. The update can be performed using npm or yarn.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30218 is a Server-Side Request Forgery vulnerability in Next.js Middleware that allows attackers to trigger unintended server-side requests. It affects versions 12.3.5 and earlier.
Yes, if you are using Next.js Middleware version 12.3.5 or earlier, you are affected by this vulnerability.
Upgrade to Next.js version 12.3.6 or later to resolve the vulnerability. Implement input validation as a temporary workaround if upgrading is not immediately possible.
While no active exploitation has been confirmed, the vulnerability has been disclosed and could be targeted by attackers.
You can find the official advisory on the Vercel changelog: https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.