SSRF Flaw (CVE-2025-6087) in OpenNext for Cloudflare Allows Unauthenticated Content Proxying

A Server-Side Request Forgery (SSRF) vulnerability has been discovered in the @opennextjs/cloudflare package, potentially allowing unauthenticated users to abuse the /_next/image endpoint to proxy arbitrary remote content through a victim’s domain. The flaw, now tracked as CVE-2025-6087 with a CVSS v4 score of 7.8, impacts all Next.js sites deployed using the Cloudflare adapter for OpenNext prior to version 1.3.0.

The vulnerability is caused by an unimplemented safeguard in the image proxy logic of the Cloudflare deployment adapter, which enabled attackers to force the victim site to load remote content from attacker-controlled domains.

“This issue allowed attackers to load remote resources from arbitrary hosts under the victim site’s domain for any site deployed using the Cloudflare adapter for OpenNext,” the advisory warns.

OpenNext is an open-source adapter that enables developers to deploy Next.js applications on platforms like Cloudflare Workers. This gives developers performance advantages with edge-based delivery, but also introduces risks when platform-specific features like image optimization are left insufficiently guarded.

At the core of CVE-2025-6087 is the /_next/image endpoint, a standard route used by Next.js to serve optimized images. In affected deployments, this endpoint allowed attackers to load arbitrary external URLs without validation:

“For example: https://victim-site.com/_next/image?url=https://attacker.com… attacker-controlled content from attacker.com is served through the victim site’s domain.”

This violates same-origin policy and opens the door to:

• Phishing attacks via domain-based trust abuse
• Misleading content appearing as if hosted by the victim
• Potential internal network exposure if used to probe internal services via SSRF

The security flaw has been addressed through multiple coordinated updates:

• Server-side fix: Cloudflare has rolled out an automatic platform-level update restricting /_next/image to load only actual image content, mitigating the issue for all current and future deployments.
• Codebase patch: Pull request #727 introduced the fix in @opennextjs/cloudflare, with the secure version published as v1.3.0.
• Dependency chain update: Cloudflare also patched the create-cloudflare package via PR #9608, with the updated secure version released as v2.49.3.

Related Posts:

• A Critical Cisco Vulnerability Threatening SPA112 Phone Adapters
• Cloudflare Pulls the Plug on HTTP: API Now HTTPS-Only
• Cloudflare to push the new public DNS service, 1.1.1.1

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.