CVE-2025-57822 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Next.js framework, specifically affecting versions prior to 14.2.32 and 15.4.7. Next.js is a widely used React framework for building full-stack web applications, often deployed in self-hosted environments. The vulnerability arises when the next() function is invoked without explicitly passing the request object, which can cause the application to incorrectly forward user-supplied headers. This improper handling allows an attacker to craft requests that the server then makes on their behalf to internal or external resources, potentially bypassing network restrictions or accessing sensitive internal services. The vulnerability is categorized under CWE-918, which pertains to SSRF issues where an attacker can induce the server to make HTTP requests to arbitrary domains. The CVSS v3.1 base score is 6.5, indicating a medium severity level, with the vector showing network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N). No known exploits are currently reported in the wild. The issue has been addressed in Next.js Middleware versions 14.2.32 and 15.4.7, and users implementing custom middleware in self-hosted setups are strongly advised to upgrade and ensure correct usage of the next() function to prevent SSRF risks.

For European organizations, this SSRF vulnerability poses a significant risk, especially for those relying on self-hosted Next.js applications with custom middleware. Exploitation could lead to unauthorized access to internal services, potentially exposing sensitive data or enabling lateral movement within corporate networks. Confidentiality is primarily at risk, as attackers may retrieve internal information not intended for public access. Integrity impact is low but could be leveraged in multi-stage attacks. Availability is not directly affected. Given the widespread adoption of Next.js in Europe’s web development landscape, particularly among startups, SMEs, and enterprises building React-based applications, the vulnerability could be exploited to compromise internal APIs, cloud metadata services, or other protected resources. This is particularly concerning for sectors with stringent data protection requirements such as finance, healthcare, and government, where internal data leakage could lead to regulatory penalties under GDPR. The medium severity rating reflects the need for attention but also acknowledges the higher attack complexity and absence of known active exploitation, providing a window for remediation.

European organizations should immediately audit their Next.js deployments to identify versions below 14.2.32 or 15.4.7, especially in self-hosted environments with custom middleware. Upgrading to the patched versions is the primary mitigation step. Additionally, developers must review middleware code to ensure the next() function is called with the explicit request object to prevent unintended header forwarding. Implement strict input validation and sanitization on headers and user-supplied data to reduce SSRF attack surface. Network segmentation should be enforced to limit server access to internal resources, minimizing the impact if SSRF is exploited. Employ web application firewalls (WAFs) with SSRF detection capabilities and monitor outbound requests for anomalies. Logging and alerting on unusual internal requests can help detect exploitation attempts. Finally, conduct security code reviews and penetration testing focused on SSRF vectors in Next.js applications to proactively identify and remediate weaknesses.