Platform
nodejs
Component
next
Fixed in
14.2.33
15.4.8
14.2.32
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Next.js Middleware. This issue arises from the direct passing of request headers into the NextResponse.next() function, potentially allowing attackers to forge requests in self-hosted applications. The vulnerability impacts versions prior to v14.2.32 and v15.4.7, and users are strongly advised to upgrade to mitigate the risk.
The SSRF vulnerability in Next.js Middleware allows an attacker to craft malicious requests that appear to originate from the server itself. This can lead to unauthorized access to internal resources, data exfiltration, and potentially even remote code execution if the server has access to vulnerable internal services. The impact is particularly significant in self-hosted environments where the middleware is used to handle incoming requests and potentially interact with other internal systems. Successful exploitation could allow an attacker to scan internal networks, access sensitive data stored on internal servers, or even manipulate internal services, effectively bypassing security controls.
This vulnerability was publicly disclosed on August 29, 2025. There is currently no indication of active exploitation campaigns. The vulnerability's impact is primarily limited to self-hosted Next.js applications, reducing the overall attack surface. No KEV listing is present at the time of writing.
Exploit Status
EPSS
5.63% (90% percentile)
CISA SSVC
The primary mitigation for CVE-2025-57822 is to upgrade to Next.js version 14.2.32 or 15.4.7. If an immediate upgrade is not feasible, carefully review all custom middleware logic to ensure that request headers are not directly passed into NextResponse.next(). Implement strict input validation and sanitization to prevent the reflection of sensitive headers. Consider using a Web Application Firewall (WAF) to filter out potentially malicious requests. After upgrading, verify the fix by attempting to craft an SSRF request through the middleware and confirming that it is blocked.
Update Next.js to version 14.2.32 or higher. If using version 15, update to version 15.4.7 or higher. Verify correct usage of the `next()` function in your custom middleware, ensuring you explicitly pass the request object.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-57822 is a Medium severity SSRF vulnerability in Next.js Middleware, allowing attackers to forge requests in self-hosted applications if request headers are improperly handled.
You are affected if you are using Next.js Middleware versions prior to v14.2.32 or v15.4.7 and have implemented custom middleware logic.
Upgrade to Next.js version 14.2.32 or 15.4.7. Review and sanitize custom middleware logic to prevent header reflection.
There is currently no indication of active exploitation campaigns related to CVE-2025-57822.
You can find the official advisory at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57822)
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.