平台
nodejs
组件
next
修复版本
12.3.6
13.5.10
14.2.26
15.2.4
12.3.6
CVE-2025-30218 is a Server-Side Request Forgery (SSRF) vulnerability discovered within Next.js Middleware during remediation efforts for CVE-2025-29927. This vulnerability allows an attacker to potentially trigger unintended server-side requests, potentially leading to information disclosure or access to internal resources. The vulnerability impacts Next.js versions 12.3.5 and earlier, and a fix is available in version 12.3.6.
The SSRF vulnerability in Next.js Middleware allows an attacker to craft malicious requests that the server will execute on their behalf. This could lead to unintended access to internal services or resources that are not directly exposed to the internet. While the CVSS score is LOW (2.5), successful exploitation could reveal sensitive information or be a stepping stone for further attacks, especially in environments with complex internal network configurations. The potential impact is amplified if the Middleware is used to proxy requests to internal APIs or databases, as an attacker could potentially bypass access controls and gain unauthorized access.
This vulnerability was independently verified by Vercel alongside reports from researchers Jinseo Kim and RyotaK (GMO Flatt Security Inc.). Public proof-of-concept code is not currently available, but the vulnerability has been disclosed. It was published on April 2, 2025. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations using Next.js Middleware in production environments, particularly those with complex internal network configurations or that rely on the Middleware to proxy requests to internal APIs or databases, are at risk. Applications using older versions of Next.js (<= 12.3.5) are directly affected.
• nodejs / server:
npm audit next• nodejs / server:
npx next telemetry --log-level debug | grep -i "middleware"• generic web: Check Next.js version exposed in headers or JavaScript files. Look for version numbers <= 12.3.5.
disclosure
漏洞利用状态
EPSS
0.21% (42% 百分位)
CISA SSVC
The primary mitigation for CVE-2025-30218 is to upgrade to Next.js version 12.3.6 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing strict input validation and sanitization on any URLs passed to the Middleware. Additionally, configure your firewall or proxy to restrict outbound connections from the Next.js server to only trusted destinations. Monitor your server logs for unusual outbound requests that might indicate exploitation attempts.
Actualice Next.js a la versión 12.3.6, 13.5.10, 14.2.26 o 15.2.4, o a una versión posterior. Esto corregirá la vulnerabilidad que filtra el x-middleware-subrequest-id a hosts externos. La actualización se puede realizar mediante npm o yarn.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-30218 is a Server-Side Request Forgery vulnerability in Next.js Middleware that allows attackers to trigger unintended server-side requests. It affects versions 12.3.5 and earlier.
Yes, if you are using Next.js Middleware version 12.3.5 or earlier, you are affected by this vulnerability.
Upgrade to Next.js version 12.3.6 or later to resolve the vulnerability. Implement input validation as a temporary workaround if upgrading is not immediately possible.
While no active exploitation has been confirmed, the vulnerability has been disclosed and could be targeted by attackers.
You can find the official advisory on the Vercel changelog: https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O.