CVE-2025-57822 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Next.js framework, a popular React-based platform for building full-stack web applications. This vulnerability affects self-hosted Next.js applications running versions prior to 14.2.32 and 15.4.7. The root cause lies in the improper handling of the next() function within custom middleware logic. Specifically, when next() is invoked without explicitly passing the request object, the framework may incorrectly forward user-supplied headers. This flaw enables an attacker to craft malicious requests that the server then forwards internally, potentially accessing internal resources or services that are not intended to be exposed externally. SSRF vulnerabilities are particularly dangerous because they can allow attackers to bypass network access controls, reach internal-only endpoints, or exploit trust relationships within the infrastructure. The vulnerability has been assigned a CVSS v3.1 base score of 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N) shows that the attack can be performed remotely without authentication or user interaction but requires high attack complexity. The impact primarily affects confidentiality (high impact), with limited integrity impact and no availability impact. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and fixed in versions 14.2.32 and 15.4.7. Organizations using custom middleware in self-hosted Next.js environments should urgently review their usage of next() and upgrade to the patched versions to mitigate this risk.

For European organizations, the impact of this SSRF vulnerability can be significant, especially for those relying on Next.js for internal or customer-facing web applications. Exploitation could allow attackers to access sensitive internal services, databases, or metadata endpoints that are otherwise protected by network segmentation or firewalls. This could lead to unauthorized disclosure of confidential information, including personal data protected under GDPR, intellectual property, or internal configuration details. The partial integrity impact means attackers might manipulate some internal requests, potentially leading to further exploitation or pivoting within the network. While availability is not directly affected, the breach of confidentiality alone can result in regulatory penalties, reputational damage, and financial losses. The medium severity score suggests that exploitation is not trivial but feasible, emphasizing the need for proactive patching and code review. Organizations with complex middleware or custom header forwarding logic are at higher risk. Given the widespread adoption of Next.js in Europe’s tech sector, especially among startups and enterprises building modern web applications, the threat is relevant and should be addressed promptly.

1. Upgrade Next.js to versions 14.2.32 or 15.4.7 or later immediately to incorporate the official fix. 2. Conduct a thorough audit of all custom middleware implementations to ensure that the next() function is always called with the explicit request object, avoiding implicit forwarding of user-supplied headers. 3. Implement strict validation and sanitization of all headers and user inputs that influence internal requests. 4. Employ network segmentation and internal access controls to limit the exposure of sensitive internal endpoints, reducing the impact of potential SSRF exploitation. 5. Monitor application logs for unusual internal request patterns that may indicate SSRF attempts. 6. Use Web Application Firewalls (WAFs) with rules tailored to detect and block SSRF attack patterns targeting Next.js applications. 7. Educate development teams about secure middleware practices and the risks of SSRF to prevent similar issues in future code.