Open next changelog

Author: penalosa

src/content/changelog/workers/2025-06-17-open-next-ssrf.mdx

@@ -0,0 +1,33 @@
+---
+title: SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint
+description: A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, which has been automatically mitigated for all existing deployments.
+products:
+  - workers
+date: 2025-06-17T01:00:00Z
+---
+
+A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, which has been automatically mitigated for all existing deployments.
+
+The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed users to proxy arbitrary remote content via the `/_next/image` endpoint.
+
+This issue allowed attackers to load remote resources from arbitrary hosts under the victim site's domain for any site deployed using the Cloudflare adapter for Open Next. For example: `https://victim-site.com/_next/image?url=https://attacker.com`. In this example, attacker-controlled content from `attacker.com` is served through the victim site's domain (`victim-site.com`), violating the same-origin policy and potentially misleading users or other services.
+
+References: https://www.cve.org/cverecord?id=CVE-2025-6087, https://github.com/opennextjs/opennextjs-cloudflare/security/advisories/GHSA-rvpw-p7vw-wj3m
+
+## Impact
+
+- SSRF via unrestricted remote URL loading
+- Arbitrary remote content loading
+- Potential internal service exposure or phishing risks through domain abuse
+
+## Mitigation
+
+The following mitigations have been put in place:
+
+**Server side updates** to Cloudflare's platform to restrict the content loaded via the `/_next/image` endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next
+
+**Root cause fix:** Pull request [#727](https://github.com/opennextjs/opennextjs-cloudflare/pull/727) to the Cloudflare adapter for Open Next. The patched version of the adapter has been released as `@opennextjs/[email protected]`
+
+**Package dependency update:** Pull request [cloudflare/workers-sdk#9608](https://github.com/cloudflare/workers-sdk/pull/9608) to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare has been published as `[email protected]`.
+
+In addition to the automatic mitigation deployed on Cloudflare's platform, we encourage affected users to upgrade to `@opennext/cloudflare` v1.3.0 and use the [`remotePatterns`](https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns) filter in Next config if they need to allow-list external urls with images assets.