CVE-2025-57822: 
Wolfi vulnerability analysis and mitigation

Next.js, a React framework for building full-stack web applications, disclosed a vulnerability (CVE-2025-57822) affecting versions prior to 14.2.32 and 15.4.7. The vulnerability was discovered when next() was used without explicitly passing the request object, which could lead to Server-Side Request Forgery (SSRF) in self-hosted applications that incorrectly forwarded user-supplied headers (NVD, GitHub Advisory).

The vulnerability lies in how Next.js middleware responses with a Location header are processed. The issue occurred in the getResolveRoutes function within packages/next/src/server/lib/router-utils/resolve-routes.ts, where any response from middleware containing a Location header was treated as a redirect regardless of the HTTP status code. The vulnerability has a CVSS v3.1 base score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N (Miggo, GitHub Advisory).

In affected configurations, attackers could influence the destination of internal requests triggered by middleware routing logic, perform SSRF against internal infrastructure if user-controlled headers were forwarded without validation, and potentially access sensitive internal resources or services unintentionally exposed via internal redirect behavior. This issue is primarily exploitable in self-hosted deployments where developers use custom middleware logic and do not adhere to documented usage of NextResponse.next({ request }) (Vercel Changelog).

The vulnerability has been patched in Next.js versions 14.2.32 and 15.4.7. For users who cannot upgrade immediately, recommended workarounds include: ensuring middleware follows official guidance by using NextResponse.next({ request }) to explicitly pass the request object, avoiding forwarding user-controlled headers to downstream systems without validation, and ensuring headers that should never be sent from client to server are not reflected back via NextResponse.next (Vercel Changelog).

The vulnerability was responsibly disclosed by Nicolas Lamoureux and the Latacora team. Vercel responded by quickly releasing patches and applying fixes to protect their infrastructure customers running affected versions by August 25th, 2025 (Vercel Changelog).