6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-57822

GHSA ID

GHSA-4342-x723-ch2f

EPSS Score

CWE

CWE-918

Published

8/29/2025

Updated

8/29/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-57822

CVE-2025-57822: Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-57822

GHSA ID

GHSA-4342-x723-ch2f

EPSS Score

CWE

CWE-918

Published

8/29/2025

Updated

8/29/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
next	npm	< 14.2.32	14.2.32
next	npm	>= 15.0.0-canary.0, < 15.4.7	15.4.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in how Next.js middleware responses with a Location header are processed. The provided patch 9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8 clearly shows that the getResolveRoutes function in packages/next/src/server/lib/router-utils/resolve-routes.ts was modified to address this issue. Before the patch, any response from a middleware that included a Location header was treated as a redirect, and the server would attempt to fetch the URL from this header. This behavior could be abused for SSRF attacks. The fix introduces a check to ensure that the response's status code is a valid redirect status before treating the Location header as a redirect. Therefore, the getResolveRoutes function is the specific location of the vulnerable code that, when triggered, would appear in a runtime profile during exploitation.

Vulnerable functions

getResolveRoutes

packages/next/src/server/lib/router-utils/resolve-routes.ts

The function `getResolveRoutes` was vulnerable because it incorrectly handled responses from middleware. If a middleware returned a response containing a 'Location' header, this function would treat it as a redirect and attempt to route the request to the URL specified in the header, regardless of the HTTP status code of the response. This could be exploited to cause a Server-Side Request Forgery (SSRF) if a middleware returned a non-redirect status (e.g., 200 OK) but included a 'Location' header pointing to an internal or sensitive URL. The patch fixes this by checking if the response status is a valid redirect status code before processing the 'Location' header as a redirect.

WAF Protection Rules

WAF Rule

* vuln*r**ility in **N*xt.js Mi**l*w*r*** **s ***n *ix** in **v**.*.**** *n* **v**.*.***. T** issu* o**urr** w**n r*qu*st *****rs w*r* *ir**tly p*ss** into `N*xtR*spons*.n*xt()`. In s*l*-*ost** *ppli**tions, t*is *oul* *llow S*rv*r-Si** R*qu*st *or**

Reasoning

T** vuln*r**ility li*s in *ow N*xt.js mi**l*w*r* r*spons*s wit* * `Lo**tion` *****r *r* pro**ss**. T** provi*** p*t** `****************************************` *l**rly s*ows t**t t** `**tR*solv*Rout*s` *un*tion in `p**k***s/n*xt/sr*/s*rv*r/li*/rout*

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-57822: Next.js Improper Middleware Redirect Handling Leads to SSRF

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI