Listen to this Post
The vulnerability exists within the Next.js middleware’s `next()` function. When a developer calls `next()` without explicitly passing the `request` object, the function internally uses the original incoming request object. This object can contain user-supplied headers, such as `Host` or X-Forwarded-Host. In self-hosted deployments where headers are not properly validated or sanitized before being forwarded to the `next()` call, these malicious headers can be processed. This allows an attacker to manipulate the internal request routing and redirect the application to make HTTP requests to internal, non-public services within the network, leading to a Server-Side Request Forgery (SSRF) condition.
Platform: Next.js
Version: <14.2.32, <15.4.7
Vulnerability: SSRF
Severity: Moderate
date: 2025-08-29
Prediction: 2025-09-05
What Undercode Say:
Simulating header injection for testing
curl -H "Host: 169.254.169.254" http://target-app.com/api/data
Example vulnerable middleware snippet
export function middleware(request) {
// Missing request object passed to next()
return next(); // Vulnerable call
}
How Exploit:
Attacker sends requests with manipulated `Host` header pointing to internal metadata endpoints or internal APIs. The misconfigured middleware processes this header, leading the application server to connect to the attacker-specified internal address instead of the intended backend service, potentially exposing sensitive internal data.
Protection from this CVE:
Upgrade to patched versions. Explicitly pass the `request` object when calling next(): return next(request). Implement strict validation for all incoming headers, especially those influencing routing or backend service communication. Avoid blindly forwarding user-supplied headers.
Impact:
SSRF allows attackers to scan and access internal services, potentially reaching cloud metadata services (e.g., AWS IMDS) to steal credentials or sensitive configuration data, and interact with internal APIs not exposed to the public internet.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
