CVE-2025-6087
📋 TL;DR
A Server-Side Request Forgery (SSRF) vulnerability in the @opennextjs/cloudflare package allows unauthenticated attackers to proxy arbitrary remote content through the /_next/image endpoint. This affects any site deployed using the Cloudflare adapter for Open Next, enabling attackers to serve malicious content under the victim's domain.
💻 Affected Systems
- @opennextjs/cloudflare
- Open Next with Cloudflare adapter
📦 What is this software?
Create Cloudflare by Cloudflare
⚠️ Risk & Real-World Impact
Worst Case
Attackers could expose internal services, perform phishing attacks using the victim's domain, or use the vulnerable server as a proxy for attacks against other systems.
Likely Case
Attackers serve malicious content (phishing pages, malware) through the victim's domain, bypassing same-origin policies and potentially tricking users.
If Mitigated
With proper controls, only whitelisted image URLs can be loaded through the endpoint, preventing SSRF and content injection.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint with attacker-controlled URLs. No authentication or special conditions needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: @opennextjs/cloudflare@1.3.0
Vendor Advisory: https://github.com/opennextjs/opennextjs-cloudflare/pull/727
Restart Required: Yes
Instructions:
1. Update package.json to use @opennextjs/cloudflare@1.3.0 or later. 2. Run npm update or yarn upgrade. 3. Redeploy the application to Cloudflare. 4. Verify the fix by testing the /_next/image endpoint with external URLs.
🔧 Temporary Workarounds
Configure remotePatterns in Next.js config
allRestrict which external URLs can be loaded through the image endpoint using Next.js remotePatterns configuration
Add remotePatterns to next.config.js with allowed domains only
🧯 If You Can't Patch
- Deploy Cloudflare WAF rules to block malicious requests to /_next/image endpoint
- Implement reverse proxy filtering to validate and sanitize URL parameters before reaching the application
🔍 How to Verify
Check if Vulnerable:
Test if /_next/image endpoint accepts arbitrary external URLs (e.g., https://victim-site.com/_next/image?url=https://attacker.com). If it loads content from attacker.com, the system is vulnerable.Check Version:
npm list @opennextjs/cloudflareVerify Fix Applied:
After patching, test the same endpoint with external URLs. It should only accept URLs matching configured remotePatterns or return errors for unauthorized domains.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /_next/image with external domains
- High volume of image requests with varied URL parameters
- Requests to internal IP addresses or localhost via the endpoint
Network Indicators:
- Outbound connections from the server to unexpected external domains triggered by /_next/image requests
- Unusual traffic patterns to the image endpoint
SIEM Query:
source="web_server" AND path="/_next/image" AND (url="*http://*" OR url="*https://*")