@opennextjs/cloudflare Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in the @opennextjs/cloudflare package, specifically within the Cloudflare adapter for Open Next. This vulnerability allows unauthenticated users to proxy arbitrary remote content through the /_next/image endpoint. As a result, attackers can load resources from any host under the victim site's domain, potentially violating the same-origin policy and misleading users or services. The vulnerability affects several versions of the @opennextjs/cloudflare package.

Impact

Exploitation of this vulnerability allows for unrestricted remote URL loading, arbitrary content loading from external sources, and potential exposure of internal services or phishing risks through domain abuse.

Remediation

Users are advised to upgrade to @opennextjs/cloudflare version 1.3.0. The patched version of the Cloudflare adapter for Open Next is available on npm. Additionally, users should update the create-cloudflare package to version 2.49.3, which includes the fixed version of the Cloudflare adapter. After upgrading, it is recommended to use the remotePatterns filter in Next.js configuration to allow-list external URLs with image assets.