Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-6087
CVE-2025-6087:
JavaScript vulnerability analysis and mitigation
Overview
A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, tracked as CVE-2025-6087. The vulnerability was discovered in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the /_next/image endpoint. The issue was disclosed on June 16, 2025, affecting sites deployed using the Cloudflare adapter for Open Next prior to version 1.3.0. The vulnerability has been assigned a CVSS 4.0 Base Score of 7.8 (HIGH) (NVD, Wiz).
Technical details
The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next that allowed attackers to load remote resources from arbitrary hosts under the victim site's domain. For example, an attacker could exploit this by accessing URLs like https://victim-site.com/_next/image?url=https://attacker.com, where attacker-controlled content would be served through the victim site's domain, violating the same-origin policy. The vulnerability has been assigned a CVSS vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N (NVD).
Impact
The vulnerability's impact includes SSRF via unrestricted remote URL loading, arbitrary remote content loading, and potential internal service exposure. Additionally, it creates potential phishing risks through domain abuse as attackers can serve content through trusted domains. The vulnerability could lead to misleading content appearing as if hosted by the victim and potential internal network exposure if used to probe internal services via SSRF (Wiz, GBHackers).
Mitigation and workarounds
Several mitigation measures have been implemented: 1) Cloudflare has deployed server-side updates to restrict content loaded via the /_next/image endpoint to images only, 2) A root cause fix has been implemented in version 1.3.0 of the @opennextjs/cloudflare package, 3) The create-cloudflare package has been updated to use the fixed version (v2.49.3). Users are encouraged to upgrade to @opennext/cloudflare v1.3.0 and implement remotePatterns filter in Next config if they need to allow-list external URLs with image assets (NVD).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management