CVE-2025-57822
Published: 29 August 2025
Summary
CVE-2025-57822 is a medium-severity SSRF (CWE-918) vulnerability in Vercel Next.Js. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Next.js is a React framework for building full-stack web applications. CVE-2025-57822 is an SSRF vulnerability (CWE-918) affecting versions prior to 14.2.32 and 15.4.7. It occurs in self-hosted deployments when the next() function is invoked in custom middleware without explicitly passing the request object, allowing incorrectly forwarded user-supplied headers to trigger unauthorized server-side requests.
An unauthenticated remote attacker can exploit the flaw over the network by supplying crafted headers that the middleware forwards, achieving high-impact confidentiality exposure and limited integrity changes with moderate attack complexity. The CVSS 6.5 score reflects these parameters under an unchanged scope.
Advisories from the GitHub security advisory GHSA-4342-x723-ch2f, the linked commit, and the Vercel changelog recommend immediate upgrade to the fixed releases and verification that custom middleware always passes the request object explicitly to next().
EPSS rose from a low baseline to a peak of 0.1330 on 2026-05-15 before receding to the current 0.0781, indicating post-disclosure exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26245
Vulnerability details
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This…
more
vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing Next.js middleware directly enables exploitation of the app (T1190) and access to cloud metadata APIs (T1552.005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of known software flaws like CVE-2025-57822 by upgrading to patched Next.js versions 14.2.32 or 15.4.7.
Requires validation of information inputs such as user-supplied headers in middleware to block malicious values that enable SSRF.
Implements boundary protection to monitor and control web application communications, restricting unintended outbound requests to internal resources triggered by SSRF.