CVE-2025-57822

About vulnerability

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

Affected product:

Acorn , Next.js , Node.js , boxen , check-updates , cross-spawn , execa , jpm , loopback , loopback-connector , loopback-connector-remote , loopback-datasource-juggler , loopback-phase , os-locale , semantic-release , semver , strong-globalize , strong-remoting , term-size , update-notifier , webpack , yargs

Affected packages:

next @ 13.4.19 (+76 more)

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.