CVE-2025-6087 Overview
A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the /_next/image endpoint.
This issue allowed attackers to load remote resources from arbitrary hosts under the victim site's domain for any site deployed using the Cloudflare adapter for Open Next. For example, an attacker could craft a URL such as https://victim-site.com/_next/image?url=https://attacker.com to serve attacker-controlled content through the victim site's domain, violating the same-origin policy and potentially misleading users or other services.
Critical Impact
Unauthenticated attackers can proxy arbitrary remote content through victim sites deployed with the Cloudflare adapter for Open Next, enabling SSRF attacks, arbitrary content loading, internal service exposure, and phishing risks through domain abuse.
Affected Products
- @opennextjs/cloudflare versions prior to 1.3.0
- create-cloudflare (c3) versions prior to 2.49.3
- Sites deployed to Cloudflare using the affected Cloudflare adapter for Open Next
Discovery Timeline
- 2025-06-16 - CVE-2025-6087 published to NVD
- 2025-08-06 - Last updated in NVD database
Technical Details for CVE-2025-6087
Vulnerability Analysis
This SSRF vulnerability exists due to an unimplemented feature in the Cloudflare adapter for Open Next that failed to properly validate and restrict URLs passed to the /_next/image endpoint. The Next.js image optimization feature is designed to serve optimized images, but without proper URL validation, it becomes an open proxy that can fetch and serve content from arbitrary remote hosts.
The vulnerability allows unauthenticated users to abuse the image optimization endpoint to proxy content from any external URL. When a request is made to the /_next/image endpoint with a malicious url parameter, the server fetches and serves the content from the attacker-specified URL under the victim site's domain. This violates the same-origin policy and can be leveraged for various attack scenarios.
Root Cause
The root cause of this vulnerability is the lack of URL validation and restriction in the Cloudflare adapter's implementation of the Next.js image optimization endpoint. The /_next/image endpoint was not properly configured to:
- Validate that requested URLs are from allowed domains
- Restrict content types to images only
- Implement the remotePatterns filtering that Next.js provides for external image sources
Without these safeguards, the endpoint functioned as an unrestricted proxy, allowing attackers to load arbitrary remote content through the victim's domain.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying a target site deployed using the vulnerable Cloudflare adapter for Open Next
- Crafting a malicious URL targeting the /_next/image endpoint with an attacker-controlled URL as the url parameter
- Distributing the crafted URL to victims or using it for SSRF attacks against internal services
The attack can be weaponized for phishing campaigns where malicious content appears to originate from a trusted domain, or for probing internal services that may be accessible from the Cloudflare worker environment.
Detection Methods for CVE-2025-6087
Indicators of Compromise
- Unexpected outbound requests from Cloudflare workers to external domains not in your allowlist
- High volume of requests to the /_next/image endpoint with external URLs
- Access logs showing /_next/image requests with suspicious or unfamiliar domain parameters
- Reports of phishing content appearing to originate from your domain
Detection Strategies
- Monitor access logs for /_next/image endpoint requests with external url parameters
- Implement alerting on requests to /_next/image with URLs pointing to non-allowlisted domains
- Review Cloudflare worker analytics for unusual request patterns or destinations
- Set up anomaly detection for spikes in image optimization endpoint usage
Monitoring Recommendations
- Enable detailed logging for all requests to the /_next/image endpoint
- Configure alerts for outbound requests to unexpected external hosts
- Regularly audit the remotePatterns configuration in your Next.js config
- Monitor for reports of phishing or impersonation campaigns using your domain
How to Mitigate CVE-2025-6087
Immediate Actions Required
- Upgrade @opennextjs/cloudflare to version 1.3.0 or later immediately
- Upgrade create-cloudflare (c3) to version 2.49.3 or later
- Configure the remotePatterns filter in your Next.js config to allowlist only trusted external image sources
- Verify that server-side platform updates from Cloudflare have been applied to your deployment
Patch Information
Cloudflare has deployed server-side updates to their platform that automatically restrict the content loaded via the /_next/image endpoint to images only. This mitigation applies automatically to all existing and future sites deployed to Cloudflare using the affected version of the adapter.
The root cause fix is available in the opennextjs-cloudflare pull request #727. The patched version of the Cloudflare adapter is @opennextjs/cloudflare@1.3.0, available on npm. The create-cloudflare package has also been updated in workers-sdk pull request #9608, with the patched version create-cloudflare@2.49.3 available on npm.
Workarounds
- Configure the remotePatterns filter in your next.config.js to explicitly allowlist only trusted external image domains
- Implement a web application firewall (WAF) rule to block requests to /_next/image with untrusted external URLs
- If image optimization from external sources is not needed, restrict the /_next/image endpoint to local images only
- Monitor and log all requests to the image optimization endpoint for suspicious activity
// next.config.js - Configure remotePatterns to restrict external image sources
module.exports = {
images: {
remotePatterns: [
{
protocol: 'https',
hostname: 'trusted-cdn.example.com',
port: '',
pathname: '/images/**',
},
// Add additional trusted domains as needed
],
},
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
