Open Next for Cloudflare SSRF Vulnerability Let Attackers Load Remote Resources from Arbitrary Hosts
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A high-severity Server-Side Request Forgery (SSRF) vulnerability has been identified in the @opennextjs/cloudflare package, enabling attackers to exploit the /_next/image endpoint to load remote resources from arbitrary hosts.
The vulnerability, assigned CVE-2025-6087 with a CVSS score of 7.8, affects all versions prior to 1.3.0 and was disclosed by security researcher Edward Coristine.
SSRF Vulnerability in Cloudflare Adapter for Open Next
The SSRF vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, specifically targeting the /_next/image endpoint.
This security flaw allows unauthenticated users to proxy arbitrary remote content through victim domains without proper validation or restrictions.
The attack vector operates through a simple URL manipulation technique where malicious actors can craft requests such as https://victim-site.com/_next/image?url=https://attacker.com.
The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and demonstrates significant exploitability metrics with Network attack vector, Low complexity, and None required privileges or user interaction.
This combination makes the vulnerability particularly dangerous as it requires no authentication or special conditions to exploit.
The security impact encompasses multiple attack vectors, including SSRF via unrestricted remote URL loading and arbitrary remote content loading.
Attackers can leverage this vulnerability to serve malicious content through legitimate victim domains, effectively violating the same-origin policy and potentially misleading users or automated services.
The vulnerability presents risks for internal service exposure and phishing attacks through domain abuse.
When exploited, attacker-controlled content from external domains appears to originate from the victim’s trusted domain, creating opportunities for social engineering attacks and bypassing security controls that rely on domain reputation.
Risk Factors Details Affected Products@opennextjs/cloudflare npm package (versions < 1.3.0)Impact– SSRF via arbitrary remote URL loading- Domain-based phishing risks- Internal service exposureExploit Prerequisites– Unpatched OpenNext/Cloudflare deployment- Publicly accessible /_next/image endpoint- No authentication requirementsCVSS 3.1 Score7.5 (High)
Mitigation Measures
Cloudflare has implemented comprehensive mitigation strategies, including server-side platform updates that automatically restrict content loaded via the /_next/image endpoint to image files only.
This automatic mitigation protects all existing and future deployments using affected versions without requiring immediate user action.
The root cause fix has been delivered through Pull Request #727 to the Cloudflare adapter, with the patched version available as @opennextjs/cloudflare@1.3.0.
Additionally, Pull Request cloudflare/workers-sdk#9608 updates the create-cloudflare (c3) dependency to use the secure version, available as create-cloudflare@2.49.3.
Security teams are strongly encouraged to upgrade to the patched version and implement remotePatterns filters in Next.js configuration files to create allow-lists for external image assets, providing an additional layer of protection against similar vulnerabilities.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
Open Next for Cloudflare SSRF Vulnerability Let Attackers Load Remote Resources from Arbitrary Hosts
Author: KaaviyaA high-severity Server-Side Request Forgery (SSRF) vulnerability has been identified in the @opennextjs/cloudflare package, enabling attackers to exploit the /_next/image endpoint to load remote resources from arbitrary hosts.
The vulnerability, assigned CVE-2025-6087 with a CVSS score of 7.8, affects all versions prior to 1.3.0 and was disclosed by security researcher Edward Coristine.
SSRF Vulnerability in Cloudflare Adapter for Open Next
The SSRF vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, specifically targeting the /_next/image endpoint.
This security flaw allows unauthenticated users to proxy arbitrary remote content through victim domains without proper validation or restrictions.
The attack vector operates through a simple URL manipulation technique where malicious actors can craft requests such as https://victim-site.com/_next/image?url=https://attacker.com.
The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and demonstrates significant exploitability metrics with Network attack vector, Low complexity, and None required privileges or user interaction.
This combination makes the vulnerability particularly dangerous as it requires no authentication or special conditions to exploit.
The security impact encompasses multiple attack vectors, including SSRF via unrestricted remote URL loading and arbitrary remote content loading.
Attackers can leverage this vulnerability to serve malicious content through legitimate victim domains, effectively violating the same-origin policy and potentially misleading users or automated services.
The vulnerability presents risks for internal service exposure and phishing attacks through domain abuse.
When exploited, attacker-controlled content from external domains appears to originate from the victim’s trusted domain, creating opportunities for social engineering attacks and bypassing security controls that rely on domain reputation.
Risk Factors Details Affected Products@opennextjs/cloudflare npm package (versions < 1.3.0)Impact– SSRF via arbitrary remote URL loading- Domain-based phishing risks- Internal service exposureExploit Prerequisites– Unpatched OpenNext/Cloudflare deployment- Publicly accessible /_next/image endpoint- No authentication requirementsCVSS 3.1 Score7.5 (High)
Mitigation Measures
Cloudflare has implemented comprehensive mitigation strategies, including server-side platform updates that automatically restrict content loaded via the /_next/image endpoint to image files only.
This automatic mitigation protects all existing and future deployments using affected versions without requiring immediate user action.
The root cause fix has been delivered through Pull Request #727 to the Cloudflare adapter, with the patched version available as @opennextjs/cloudflare@1.3.0.
Additionally, Pull Request cloudflare/workers-sdk#9608 updates the create-cloudflare (c3) dependency to use the secure version, available as create-cloudflare@2.49.3.
Security teams are strongly encouraged to upgrade to the patched version and implement remotePatterns filters in Next.js configuration files to create allow-lists for external image assets, providing an additional layer of protection against similar vulnerabilities.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
