Headline
GHSA-4342-x723-ch2f: Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
More details at Vercel Changelog
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-57822
Next.js Improper Middleware Redirect Handling Leads to SSRF
Moderate severity GitHub Reviewed Published Aug 29, 2025 in vercel/next.js • Updated Aug 29, 2025
Affected versions
< 14.2.32
>= 15.0.0-canary.0, < 15.4.7
Patched versions
14.2.32
15.4.7
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
More details at Vercel Changelog
References
- GHSA-4342-x723-ch2f
- vercel/next.js@9c9aaed
- https://vercel.com/changelog/cve-2025-57822
Published to the GitHub Advisory Database
Aug 29, 2025
Last updated
Aug 29, 2025