CVE-2025-57822
Published: 29 August 2025
Summary
CVE-2025-57822 is a medium-severity SSRF (CWE-918) vulnerability in Vercel Next.Js. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of known software flaws like CVE-2025-57822 by upgrading to patched Next.js versions 14.2.32 or 15.4.7.
Requires validation of information inputs such as user-supplied headers in middleware to block malicious values that enable SSRF.
Implements boundary protection to monitor and control web application communications, restricting unintended outbound requests to internal resources triggered by SSRF.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing Next.js middleware directly enables exploitation of the app (T1190) and access to cloud metadata APIs (T1552.005).
NVD Description
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This…
more
vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
Deeper analysisAI
CVE-2025-57822 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Next.js, a React framework for building full-stack web applications. The issue arises in self-hosted applications prior to versions 14.2.32 and 15.4.7, where the next() function in custom middleware is called without explicitly passing the request object. This misconfiguration can result in the incorrect forwarding of user-supplied headers, enabling SSRF. The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating medium severity with high confidentiality impact and low integrity impact.
Remote attackers with network access can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity. By supplying malicious headers in requests to affected applications, attackers can trick the server into making unintended internal or external requests, potentially accessing sensitive internal resources, metadata services, or cloud infrastructure. The unchanged scope limits lateral movement, but successful SSRF could lead to data exfiltration or further reconnaissance.
Advisories recommend upgrading to Next.js versions 14.2.32 or 15.4.7, where the vulnerability has been fixed. Users implementing custom middleware in self-hosted environments should verify correct usage of the next() function, explicitly passing the request object. Relevant resources include the fix commit at https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8, the GitHub security advisory at https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f, and Vercel's changelog at https://vercel.com/changelog/cve-2025-57822.
Details
- CWE(s)