CVE-2025-57822 Overview
CVE-2025-57822 is a Server-Side Request Forgery (SSRF) vulnerability in Vercel's Next.js framework that affects self-hosted applications using custom middleware logic. The vulnerability occurs when the next() function is used without explicitly passing the request object, leading to incorrect forwarding of user-supplied headers that can be exploited to perform SSRF attacks against internal services.
Critical Impact
Self-hosted Next.js applications with custom middleware implementations may inadvertently forward malicious user-controlled headers, enabling attackers to make unauthorized requests to internal services and potentially access sensitive data or internal resources.
Affected Products
- Vercel Next.js versions prior to 14.2.32
- Vercel Next.js versions prior to 15.4.7
- Self-hosted Next.js applications using custom middleware
Discovery Timeline
- 2025-08-29 - CVE-2025-57822 published to NVD
- 2025-09-08 - Last updated in NVD database
Technical Details for CVE-2025-57822
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The issue stems from improper handling of HTTP request objects within Next.js middleware when developers call the next() function without explicitly passing the request object. In this scenario, user-supplied headers are incorrectly forwarded through the middleware chain, allowing attackers to inject malicious headers that influence subsequent server-side requests.
The vulnerability is particularly dangerous in self-hosted environments where the application may have access to internal network resources, databases, or cloud metadata endpoints that should not be accessible from external requests.
Root Cause
The root cause lies in the router utilities module of Next.js, specifically in how the framework handles location response headers and redirect status codes during request resolution. When middleware invokes next() without the request parameter, the framework fails to properly sanitize or validate the forwarded headers, creating a path for user-controlled data to influence internal server requests.
The security patch addresses this by importing and enforcing allowedStatusCodes from the redirect-status library, adding validation to the router handling logic when setting location response headers.
Attack Vector
An attacker can exploit this vulnerability by crafting HTTP requests with specially crafted headers targeting a vulnerable Next.js application. The attack requires network access to the target application and no authentication or user interaction. When the malicious headers are forwarded through the middleware, they can direct the server to make requests to arbitrary internal or external endpoints, potentially exposing sensitive configuration data, internal service responses, or cloud metadata.
import { toNodeOutgoingHttpHeaders } from '../../web/utils'
import { isAbortError } from '../../pipe-readable'
import { getHostname } from '../../../shared/lib/get-hostname'
-import { getRedirectStatus } from '../../../lib/redirect-status'
+import {
+ getRedirectStatus,
+ allowedStatusCodes,
+} from '../../../lib/redirect-status'
import { normalizeRepeatedSlashes } from '../../../shared/lib/utils'
import { getRelativeURL } from '../../../shared/lib/router/utils/relativize-url'
import { addPathPrefix } from '../../../shared/lib/router/utils/add-path-prefix'
Source: GitHub Commit 9c9aaed
Detection Methods for CVE-2025-57822
Indicators of Compromise
- Unusual outbound requests from Next.js application servers to internal IP ranges or cloud metadata endpoints
- Unexpected Host, X-Forwarded-Host, or similar headers in application logs that don't match legitimate traffic patterns
- Server-side requests to localhost, 127.0.0.1, 169.254.169.254, or internal DNS names originating from the web application tier
Detection Strategies
- Implement network traffic monitoring to detect anomalous outbound connections from application servers to internal network segments
- Review middleware code for instances of next() being called without explicit request object parameters
- Enable verbose logging for Next.js middleware to capture and analyze header forwarding behavior
- Deploy web application firewall (WAF) rules to detect SSRF payload patterns in request headers
Monitoring Recommendations
- Configure alerts for outbound connections from application servers to RFC 1918 private IP address ranges
- Monitor for requests to cloud metadata service endpoints (e.g., 169.254.169.254 for AWS/GCP/Azure)
- Implement DNS query logging to identify internal service discovery attempts from the application tier
- Establish baseline network behavior for Next.js applications and alert on deviations
How to Mitigate CVE-2025-57822
Immediate Actions Required
- Upgrade Next.js to version 14.2.32 or 15.4.7 or later immediately
- Audit all custom middleware implementations to ensure next() is called with explicit request objects
- Review and restrict outbound network access from application servers using firewall rules or network policies
- Implement egress filtering to block requests to internal networks and cloud metadata endpoints
Patch Information
Vercel has released security patches in Next.js versions 14.2.32 and 15.4.7 that address this vulnerability. The fix modifies the router handling logic in packages/next/src/server/lib/router-utils/resolve-routes.ts to properly validate status codes and prevent unauthorized header forwarding.
For detailed patch information, refer to:
Workarounds
- Ensure all middleware functions explicitly pass the request object to next(request) rather than calling next() without parameters
- Implement a reverse proxy or API gateway that strips or validates sensitive headers before forwarding to the Next.js application
- Configure network-level controls to block SSRF attempts by restricting application egress to known-good destinations
- Deploy additional input validation on headers in middleware before processing
# Upgrade Next.js to patched versions
npm install next@14.2.32
# or for version 15.x
npm install next@15.4.7
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
