Server-side Request Forgery (SSRF) Affecting @opennextjs/cloudflare package, versions <1.3.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.09% (27th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-OPENNEXTJSCLOUDFLARE-10494112
  • published23 Jun 2025
  • disclosed16 Jun 2025
  • creditEdward Coristine

Introduced: 16 Jun 2025

NewCVE-2025-6087  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade @opennextjs/cloudflare to version 1.3.0 or higher.

Overview

@opennextjs/cloudflare is a Cloudflare builder for next apps

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the /_next/image endpoint. An attacker can retrieve arbitrary remote content and potentially expose internal services or facilitate phishing attacks by crafting requests that proxy external resources through the victim's domain. This is only exploitable if unauthenticated access to the /_next/image endpoint is permitted.

Workaround

This vulnerability can be mitigated by configuring the remotePatterns filter in the Next.js configuration to allow-list only trusted external image URLs.

CVSS Base Scores

version 4.0
version 3.1