VulWall Team March 19, 2026 4 min read

Outdated Next.js Version Exposes Server to Unauthorized Internal Requests

Your website is running an outdated version of Next.js (the framework powering your web app) that contains a known security flaw. Under specific conditions, this flaw could allow an outside visitor to trick your server into making requests to internal systems it shouldn't be able to reach. A patch is available and the fix is straightforward — update to the latest version.

OWASP A10 Effort: small Exploitable
ssrf nextjs middleware cve header-injection self-hosted server-side-request-forgery cve-2025-57822

Business Impact And Actions

high urgency

Business Impact

If your app uses custom routing logic (called 'middleware') and is hosted on your own servers rather than Vercel's managed platform, this flaw could allow an attacker to probe internal services behind your firewall. For most small SaaS businesses, the practical risk is moderate: exploitation requires a specific code pattern to be present. That said, running known-vulnerable software can flag compliance audits and erode customer trust if disclosed.

What To Do

  1. Ask your developer to check which version of Next.js your app is running — if it's below 14.2.32 (or below 15.4.7 on the v15 branch), schedule an upgrade.
  2. If your app uses a 'middleware.ts' or 'middleware.js' file, ask your developer to review it and ensure it follows the updated guidance from Vercel (see the technical notes).
  3. If you host Next.js on Vercel's own platform, you are not affected — confirm your deployment environment with your developer.
  4. Once updated, ask your developer to confirm the new version is live before closing this finding.

Next.js Middleware SSRF via Improper NextResponse.next() Header Forwarding (CVE-2025-57822)

medium severity CVSS 6.5

Vulnerability Explanation

In Next.js versions prior to 14.2.32 and 15.4.7, the middleware layer contained a flaw in how it processed responses that included a `Location` header. Before the patch, any middleware response containing a `Location` header was unconditionally treated as a redirect, causing the server to attempt to fetch the URL specified in that header. Because request headers could be passed directly into `NextResponse.next()` without sanitization, an attacker could craft a request with a malicious `Location` header value, causing the Next.js server to issue an unintended internal request — a classic Server-Side Request Forgery (SSRF) pattern. The vulnerable code path was in `getResolveRoutes` within `packages/next/src/server/lib/router-utils/resolve-routes.ts`. The fix adds a check to ensure the response status code is a valid redirect status before treating the `Location` header as a redirect target.

Root Cause

The `getResolveRoutes` function did not validate that a redirect status code was present before acting on a `Location` response header. Combined with middleware patterns that forwarded raw incoming request headers into `NextResponse.next()`, this allowed user-controlled header values to influence server-side routing decisions.

Technical Impact

An unauthenticated remote attacker can craft HTTP requests with a malicious `Location` header that, when reflected through vulnerable middleware into `NextResponse.next()`, causes the Next.js server to make outbound requests to attacker-specified internal or external URLs. This can result in: access to internal-only services (metadata endpoints, databases, admin APIs), network reconnaissance behind a firewall, and potential data exfiltration. Exploitation requires the application to have custom middleware that forwards request headers without sanitization and to be running in a self-hosted (non-Vercel-managed) environment.

Severity Justification

Network-accessible with no authentication required, but exploitation depends on a specific middleware implementation pattern (direct header forwarding into NextResponse.next()). Not universally exploitable across all Next.js deployments. CVSS 6.5 aligns with the official GitHub Advisory classification of 'Moderate'.

Affected Components

  • next (npm) >= 0.9.9, < 14.2.32
  • next (npm) >= 15.0.0-canary.0, < 15.4.7

Remediation Steps

  1. Upgrade Next.js to 14.2.32 (for v14 users) or 15.4.7 (for v15 users): `npm install next@14.2.32` or `npm install next@15.4.7`.
  2. Audit all `middleware.ts` / `middleware.js` files for patterns that pass raw request headers into `NextResponse.next()`. Replace them with the explicit safe form.
  3. Ensure the `Location` header and other sensitive routing headers are never forwarded from client requests to `NextResponse.next()` without validation.
  4. After upgrading, redeploy the application and verify the running version matches the patched release.

Verification Steps

  1. Run `npm list next` or check `package.json` to confirm the installed version is >= 14.2.32 or >= 15.4.7.
  2. Review all middleware files for `NextResponse.next({ request: { headers: ... } })` patterns and confirm no raw `request.headers` are passed through without sanitization.
  3. Send a test request with a crafted `Location` header to a middleware-protected route and confirm the server does not follow the redirect to an internal address.
  4. Check application logs post-deployment for any anomalous outbound requests to internal IP ranges.

Code Examples (typescript)

Vulnerable
// middleware.ts — VULNERABLE: raw request headers forwarded into NextResponse.next()
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';

export function middleware(request: NextRequest) {
  // Dangerous: forwards all incoming headers, including attacker-controlled ones
  return NextResponse.next({
    request: {
      headers: request.headers, // ← passes Location and other sensitive headers through
    },
  });
}
Fixed
// middleware.ts — FIXED: explicitly construct only the headers you need
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';

export function middleware(request: NextRequest) {
  // Safe: pass the request object directly, or build a clean headers object
  return NextResponse.next({ request });
  // OR, if you need to add/modify specific headers:
  // const requestHeaders = new Headers(request.headers);
  // requestHeaders.delete('location'); // strip sensitive headers explicitly
  // return NextResponse.next({ request: { headers: requestHeaders } });
}

Best Practices

  • Never forward raw, unvalidated client request headers to internal routing functions — always construct an explicit, allowlisted set of headers.
  • Treat any header that influences server-side routing (e.g., `Location`, `X-Middleware-Rewrite`) as untrusted input and strip or validate it before use.
  • Keep framework dependencies pinned to a minor version range and subscribe to the framework's security advisory feed (GitHub Advisories for `vercel/next.js`).
  • In self-hosted environments, apply network egress controls to limit which internal addresses your Next.js process can reach, reducing SSRF blast radius.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base