{"id":4744,"date":"2025-06-19T10:05:51","date_gmt":"2025-06-19T10:05:51","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/06\/19\/open-next-for-cloudflare-ssrf-vulnerability-let-attackers-load-remote-resources-from-arbitrary-hosts\/"},"modified":"2025-06-19T10:05:51","modified_gmt":"2025-06-19T10:05:51","slug":"open-next-for-cloudflare-ssrf-vulnerability-let-attackers-load-remote-resources-from-arbitrary-hosts","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/06\/19\/open-next-for-cloudflare-ssrf-vulnerability-let-attackers-load-remote-resources-from-arbitrary-hosts\/","title":{"rendered":"Open Next for Cloudflare SSRF Vulnerability Let Attackers Load Remote Resources from Arbitrary Hosts"},"content":{"rendered":"

Open Next for Cloudflare SSRF Vulnerability Let Attackers Load Remote Resources from Arbitrary Hosts
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A high-severity Server-Side Request Forgery (SSRF) vulnerability<\/a> has been identified in the @opennextjs\/cloudflare package, enabling attackers to exploit the \/_next\/image endpoint to load remote resources from arbitrary hosts.\u00a0<\/p>\n

The vulnerability, assigned CVE-2025-6087 with a CVSS score of 7.8, affects all versions prior to 1.3.0 and was disclosed by security researcher Edward Coristine.<\/p>\n

SSRF Vulnerability in Cloudflare Adapter for Open Next<\/strong><\/h2>\n

The SSRF vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, specifically targeting the \/_next\/image endpoint.\u00a0<\/p>\n

This security flaw allows unauthenticated users to proxy arbitrary remote content through victim domains without proper validation or restrictions.\u00a0<\/p>\n

The attack vector operates through a simple URL manipulation technique where malicious actors can craft requests such as https:\/\/victim-site.com\/_next\/image?url=https:\/\/attacker.com.<\/p>\n

The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and demonstrates significant exploitability metrics with Network attack<\/a> vector, Low complexity, and None required privileges or user interaction.\u00a0<\/p>\n

This combination makes the vulnerability particularly dangerous as it requires no authentication or special conditions to exploit.<\/p>\n

The security impact encompasses multiple attack vectors, including SSRF via unrestricted remote URL loading and arbitrary remote content loading.<\/p>\n

Attackers can leverage this vulnerability to serve malicious content through legitimate victim domains, effectively violating the same-origin policy and potentially misleading users or automated services.<\/p>\n

The vulnerability presents risks for internal service exposure and phishing attacks through domain abuse.\u00a0<\/p>\n

When exploited, attacker-controlled content from external domains appears to originate from the victim\u2019s trusted domain, creating opportunities for social engineering attacks and bypassing security controls that rely on domain reputation.<\/p>\n

\n\n\n\n\n\n\n\n
Risk Factors<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
Affected Products<\/td>\n@opennextjs\/cloudflare npm package (versions < 1.3.0)<\/td>\n<\/tr>\n
Impact<\/td>\n\u2013 SSRF via arbitrary remote URL loading- Domain-based phishing risks- Internal service exposure<\/td>\n<\/tr>\n
Exploit Prerequisites<\/td>\n\u2013 Unpatched OpenNext\/Cloudflare deployment- Publicly accessible \/_next\/image endpoint- No authentication requirements<\/td>\n<\/tr>\n
CVSS 3.1 Score<\/td>\n7.5 (High)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Mitigation Measures<\/strong><\/h2>\n

Cloudflare has implemented<\/a> comprehensive mitigation strategies, including server-side platform updates that automatically restrict content loaded via the \/_next\/image endpoint to image files only.\u00a0<\/p>\n

This automatic mitigation protects all existing and future deployments using affected versions without requiring immediate user action.<\/p>\n

The root cause fix has been delivered through Pull Request #727 to the Cloudflare adapter, with the patched version available as @opennextjs\/cloudflare@1.3.0.\u00a0<\/p>\n

Additionally, Pull Request cloudflare\/workers-sdk#9608 updates the create-cloudflare (c3) dependency to use the secure version, available as create-cloudflare@2.49.3.<\/p>\n

Security teams are strongly encouraged to upgrade to the patched version and implement remotePatterns filters in Next.js configuration<\/a> files to create allow-lists for external image assets, providing an additional layer of protection against similar vulnerabilities.<\/p>\n

Power up early threat detection, escalation, and mitigation with ANY.RUN\u2019s Threat Intelligence Lookup. <\/strong>Get 50 trial searches<\/strong><\/a>.<\/strong><\/strong><\/p>\n

The post Open Next for Cloudflare SSRF Vulnerability Let Attackers Load Remote Resources from Arbitrary Hosts<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Kaaviya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Open Next for Cloudflare SSRF Vulnerability Let Attackers Load Remote Resources from Arbitrary Hosts A high-severity Server-Side Request Forgery (SSRF) vulnerability has been identified in the @opennextjs\/cloudflare package, enabling attackers to exploit the \/_next\/image endpoint to load remote resources from arbitrary hosts.\u00a0 The vulnerability, assigned CVE-2025-6087 with a CVSS score of 7.8, affects all versions […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131],"tags":[130],"class_list":["post-4744","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/4744"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=4744"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/4744\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=4744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=4744"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=4744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}