Skip to content

Mitigations put in place for SSRF in @opennextjs/cloudflare #23068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jun 17, 2025
Merged

Mitigations put in place for SSRF in @opennextjs/cloudflare #23068

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c49afbb
Open next changelog
penalosa Jun 17, 2025
c87e792
Update src/content/changelog/workers/2025-06-17-open-next-ssrf.mdx
workers-devprod Jun 17, 2025
238ba63
updates
penalosa Jun 17, 2025
cd4b3b5
updates
penalosa Jun 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions src/content/changelog/workers/2025-06-17-open-next-ssrf.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
title: SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint
Copy link
Contributor

@lrapoport-cf lrapoport-cf Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if the changelog entry should reflect the changes put in place, more than just a notification that a vuln was identified, perhaps:

Suggested change
title: SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint
title: Mitigation for SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint

Copy link
Contributor

@irvinebroque irvinebroque Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Suggested change
title: SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint
title: SSRF vulnerability in @opennextjs/cloudflare proactively mitigated for all Cloudflare customers

description: A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, which has been automatically mitigated for all existing deployments.
Copy link
Contributor

@lrapoport-cf lrapoport-cf Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe more emphasis on the mitigation than the vuln?

Suggested change
description: A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, which has been automatically mitigated for all existing deployments.
description: Mitigations have been put in place for all existing and future deployments of sites with the Cloudflare adapter for Open Next in response to an identified Server-Side Request Forgery (SSRF) vulnerability in the @opennextjs/cloudflare package

products:
- workers
date: 2025-06-17T01:00:00Z
---

A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, which has been automatically mitigated for all existing deployments.

The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed users to proxy arbitrary remote content via the `/_next/image` endpoint.

This issue allowed attackers to load remote resources from arbitrary hosts under the victim site's domain for any site deployed using the Cloudflare adapter for Open Next. For example: `https://victim-site.com/_next/image?url=https://attacker.com`. In this example, attacker-controlled content from `attacker.com` is served through the victim site's domain (`victim-site.com`), violating the same-origin policy and potentially misleading users or other services.

References: https://www.cve.org/cverecord?id=CVE-2025-6087, https://github.com/opennextjs/opennextjs-cloudflare/security/advisories/GHSA-rvpw-p7vw-wj3m

## Impact

- SSRF via unrestricted remote URL loading
- Arbitrary remote content loading
- Potential internal service exposure or phishing risks through domain abuse

## Mitigation

The following mitigations have been put in place:

**Server side updates** to Cloudflare's platform to restrict the content loaded via the `/_next/image` endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next
Copy link
Contributor

@irvinebroque irvinebroque Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest referencing this more directly in first 2-3 sentences


**Root cause fix:** Pull request [#727](https://github.com/opennextjs/opennextjs-cloudflare/pull/727) to the Cloudflare adapter for Open Next. The patched version of the adapter has been released as `@opennextjs/[email protected]`

**Package dependency update:** Pull request [cloudflare/workers-sdk#9608](https://github.com/cloudflare/workers-sdk/pull/9608) to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare has been published as `[email protected]`.

In addition to the automatic mitigation deployed on Cloudflare's platform, we encourage affected users to upgrade to `@opennext/cloudflare` v1.3.0 and use the [`remotePatterns`](https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns) filter in Next config if they need to allow-list external urls with images assets.
Copy link
Contributor

@vicb vicb Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment here for automatic?