CVE-2025-57822: 
Wolfi vulnerability analysis and mitigation

Next.js, a React framework for building full-stack web applications, disclosed a vulnerability (CVE-2025-57822) affecting versions prior to 14.2.32 and 15.4.7. The vulnerability was discovered when next() was used without explicitly passing the request object, which could lead to Server-Side Request Forgery (SSRF) in self-hosted applications that incorrectly forwarded user-supplied headers. The issue was reported on August 29, 2025, and has been assigned a CVSS v3.1 score of 6.5 (Medium) (GitHub Advisory, NVD).

The vulnerability stems from how Next.js middleware responses with a Location header are processed. The issue occurs in the getResolveRoutes function within packages/next/src/server/lib/router-utils/resolve-routes.ts. Before the patch, any response from middleware containing a Location header was treated as a redirect, regardless of the HTTP status code. This could be exploited for SSRF attacks if a middleware returned a non-redirect status with a Location header pointing to an internal or sensitive URL. The vulnerability has been assigned CWE-918 (Server-Side Request Forgery) with a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N (Miggo, GitHub Advisory).

The vulnerability could allow attackers to influence the destination of internal requests triggered by middleware routing logic, perform SSRF against internal infrastructure if user-controlled headers were forwarded without validation, and potentially access sensitive internal resources or services unintentionally exposed via internal redirect behavior. This issue primarily affects self-hosted deployments where developers use custom middleware logic and do not follow documented usage of NextResponse.next({ request }) (Vercel Changelog).

The vulnerability has been patched in Next.js versions 14.2.32 and 15.4.7. For users who cannot upgrade immediately, recommended workarounds include: ensuring middleware follows official guidance by using NextResponse.next({ request }) to explicitly pass the request object, avoiding forwarding user-controlled headers to downstream systems without validation, and ensuring headers that should never be sent from client to server are not reflected back via NextResponse.next (Vercel Changelog).

The vulnerability was responsibly disclosed by Nicolas Lamoureux and the Latacora team. Vercel responded by quickly releasing patches and applying fixes to protect their infrastructure customers running affected versions by August 25th, 2025 (Vercel Changelog).