CVE-2025-6087 is a Server-Side Request Forgery (SSRF) vulnerability identified in the @opennextjs/cloudflare package, specifically within the Cloudflare adapter for Open Next. The vulnerability arises from an unimplemented or improperly restricted feature in the /_next/image endpoint, which allowed unauthenticated attackers to proxy arbitrary remote content through the victim's domain. This means that an attacker could craft a URL such as https://victim-site.com/_next/image?url=https://attacker.com, causing the victim site to load and serve content from an attacker-controlled domain under the victim's domain name. This behavior violates the same-origin policy, potentially misleading users or other services that trust the victim domain. The SSRF flaw enables attackers to load arbitrary remote resources, which can be exploited to conduct phishing attacks by abusing the victim domain, or potentially to access internal services if the proxying allows requests to internal IP ranges or services not normally exposed externally. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely. The Cloudflare platform has deployed server-side mitigations restricting the /_next/image endpoint to only load image content, which automatically protects existing and future deployments using the affected adapter version. Additionally, a root cause fix was released in @opennextjs/cloudflare version 1.3.0, which enforces proper filtering of remote URLs via the remotePatterns configuration in Next.js. The create-cloudflare package was also updated to incorporate this fix. Users are strongly encouraged to upgrade to the patched versions and configure remotePatterns to allow-list only trusted external image URLs. No known exploits are currently reported in the wild. The CVSS 4.0 base score is 7.8 (high severity), reflecting the network attack vector, no required privileges or user interaction, and the potential for limited confidentiality and integrity impacts, with a high scope due to the vulnerability affecting multiple tenants or sites deployed on Cloudflare using this adapter.

For European organizations, this SSRF vulnerability poses significant risks, particularly for those leveraging the Open Next framework with Cloudflare integration to serve web content. The ability for attackers to proxy arbitrary content through a trusted domain can lead to phishing campaigns that exploit user trust in legitimate domains, increasing the risk of credential theft or malware distribution. Additionally, if internal services are accessible via the proxy, attackers could gain unauthorized access to sensitive internal resources, leading to data breaches or service disruptions. The violation of the same-origin policy may also undermine web application security controls, potentially facilitating further attacks such as cross-site scripting or session hijacking. Organizations in sectors with high regulatory requirements, such as finance, healthcare, and government, could face compliance violations and reputational damage if exploited. The automatic mitigation by Cloudflare reduces exposure for many users; however, organizations self-hosting or not promptly updating remain at risk. The impact extends beyond confidentiality to integrity and availability, as attackers might manipulate content served to users or disrupt legitimate service functionality.

Beyond upgrading to @opennextjs/cloudflare version 1.3.0 and create-cloudflare version 2.49.3, European organizations should implement the following specific mitigations: 1) Strictly configure the remotePatterns filter in Next.js to allow-list only trusted external image sources, minimizing the risk of proxying malicious content. 2) Conduct thorough audits of all web applications using the Cloudflare adapter for Open Next to identify and remediate any instances running vulnerable versions. 3) Monitor web traffic logs for unusual requests to the /_next/image endpoint, particularly those with suspicious or unexpected URL parameters, to detect potential exploitation attempts. 4) Employ Web Application Firewalls (WAF) with custom rules to block or alert on SSRF-like request patterns targeting the vulnerable endpoint. 5) Review internal network segmentation and firewall rules to ensure that even if SSRF is exploited, internal services are not accessible or are protected by additional authentication layers. 6) Educate development and security teams about SSRF risks and secure coding practices related to proxying external resources. 7) Coordinate with Cloudflare support to confirm that platform-level mitigations are active and properly configured for their deployments. These targeted actions will help reduce the attack surface and improve detection and response capabilities.