Next.js Improper Middleware Redirect Handling Leading to Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Next.js versions prior to 14.2.32 and 15.4.7. The issue arises in self-hosted applications that incorrectly forward user-supplied headers when the next() function is used without explicitly passing the request object. This vulnerability allows an attacker to manipulate internal requests through middleware, potentially accessing sensitive resources or services.

Impact

Exploitation of this vulnerability could allow an attacker to influence the destination of internal requests made by the middleware, perform SSRF against internal infrastructure by exploiting forwarded user-controlled headers, and potentially access sensitive internal resources unintentionally exposed via internal redirects.

Reproduction

The vulnerability can be reproduced by creating a self-hosted Next.js application that uses custom middleware. The middleware should be configured to forward user-supplied headers without validation. When the next() function is called without the request object, the application will reflect the headers back in a way that can be exploited.

Remediation

Users are advised to upgrade to Next.js versions 14.2.32 or 15.4.7. For those who cannot upgrade immediately, ensure that middleware follows official guidance by explicitly passing the request object and avoiding the unvalidated forwarding of user-controlled headers.