Next.js Improper Middleware Redirect Handling Leads to SSRF

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

服务端请求伪造(SSRF)

Next.js 代码问题漏洞

Next.js是Vercel开源的一个 React 框架。 Next.js 14.2.32之前版本和15.4.7之前版本存在代码问题漏洞，该漏洞源于next函数使用不当，可能导致服务器端请求伪造。

N/A

N/A