Description

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

INFO

Published Date :

2025-08-29T21:33:15.304Z

Last Modified :

2025-09-02T17:26:25.016Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-57822 vulnerability.

Vendors Products
Vercel
  • Next.js
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-57822.

URL Resource
https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8 cve-icon cve-icon
https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f cve-icon cve-icon
https://vercel.com/changelog/cve-2025-57822 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact