Cyber Resilience

CVE-2025-57822

Medium

Published: 29 August 2025

Published
29 August 2025
Modified
08 September 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0781 92.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57822 is a medium-severity SSRF (CWE-918) vulnerability in Vercel Next.Js. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Next.js is a React framework for building full-stack web applications. CVE-2025-57822 is an SSRF vulnerability (CWE-918) affecting versions prior to 14.2.32 and 15.4.7. It occurs in self-hosted deployments when the next() function is invoked in custom middleware without explicitly passing the request object, allowing incorrectly forwarded user-supplied headers to trigger unauthorized server-side requests.

An unauthenticated remote attacker can exploit the flaw over the network by supplying crafted headers that the middleware forwards, achieving high-impact confidentiality exposure and limited integrity changes with moderate attack complexity. The CVSS 6.5 score reflects these parameters under an unchanged scope.

Advisories from the GitHub security advisory GHSA-4342-x723-ch2f, the linked commit, and the Vercel changelog recommend immediate upgrade to the fixed releases and verification that custom middleware always passes the request object explicitly to next().

EPSS rose from a low baseline to a peak of 0.1330 on 2026-05-15 before receding to the current 0.0781, indicating post-disclosure exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This…

more

vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing Next.js middleware directly enables exploitation of the app (T1190) and access to cloud metadata APIs (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44578Same product: Vercel Next.Js
CVE-2026-45109Same product: Vercel Next.Js
CVE-2026-44574Same product: Vercel Next.Js
CVE-2026-44573Same product: Vercel Next.Js
CVE-2026-44575Same product: Vercel Next.Js
CVE-2025-29927Same product: Vercel Next.Js
CVE-2025-59472Same product: Vercel Next.Js
CVE-2025-59471Same product: Vercel Next.Js
CVE-2026-27980Same product: Vercel Next.Js
CVE-2026-27979Same product: Vercel Next.Js

Affected Assets

vercel
next.js
≤ 14.2.32 · 15.0.0 — 15.4.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of known software flaws like CVE-2025-57822 by upgrading to patched Next.js versions 14.2.32 or 15.4.7.

prevent

Requires validation of information inputs such as user-supplied headers in middleware to block malicious values that enable SSRF.

preventdetect

Implements boundary protection to monitor and control web application communications, restricting unintended outbound requests to internal resources triggered by SSRF.

References