Open Next SSRF Flaw in Cloudflare Lets Hackers Fetch Data from Any Host

A critical Server-Side Request Forgery (SSRF) vulnerability has been discovered in the @opennextjs/cloudflare package, posing a significant security threat to websites deployed using the Cloudflare adapter for Open Next.

The flaw, now tracked as CVE-2025-6087, allows unauthenticated attackers to proxy arbitrary remote content through the vulnerable site’s domain, posing significant risks of phishing, data exposure, and domain abuse.

The vulnerability stems from an unimplemented safeguard in the Cloudflare adapter for Open Next, specifically affecting the popular /_next/image endpoint used by Next.js applications to serve optimized images.

– Advertisement –

 In affected deployments, this endpoint failed to validate external URLs, enabling attackers to load remote resources from any host under the victim site’s domain.

For example, a request to https://victim-site.com/_next/image?url=https://attacker.com would result in content from attacker.com being served as if it originated from victim-site.com, violating the same-origin policy and misleading users or services.

This SSRF flaw exposed several critical risks:

• Attackers could proxy arbitrary remote content, bypassing security controls and potentially exposing internal services.
• Phishing campaigns could leverage the victim’s trusted domain to distribute attacker-controlled content.
• Users and automated systems could be deceived into trusting malicious resources, increasing the risk of further compromise.

The vulnerability affected all Next.js sites using the Cloudflare adapter for Open Next prior to version 1.3.0.

The issue was responsibly disclosed by security researcher Edward Coristine, who identified that the image proxy logic lacked proper validation, leaving the door open for SSRF attacks.

Mitigation and Remediation

Cloudflare responded swiftly, deploying automatic server-side updates that restrict the /_next/image endpoint to only load valid image content.

This platform-level fix mitigates the vulnerability for all existing and future sites using the affected adapter. 

Additionally, the root cause was addressed in the codebase via pull request #727, with the patched version released as @opennextjs/[email protected].

The dependency chain was also updated, with [email protected] now incorporating the fix.

Site operators are urged to upgrade to the latest adapter version and use the remotePatterns filter in their Next.js configuration to explicitly allow-list trusted external image sources.

The rapid identification and remediation of CVE-2025-6087 highlight the importance of robust security controls in edge deployment platforms.

While the flaw posed a high risk, coordinated disclosure and prompt mitigation have minimized potential exploitation for Cloudflare users.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates