@opennextjs/cloudflare Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in the @opennextjs/cloudflare package, specifically in versions prior to 1.3.0. The issue arises from a path normalization bypass in the '/cdn-cgi/image/' handler, which is meant for development use only. In production, Cloudflare's edge normally intercepts these requests before they reach the Worker. However, by using a backslash instead of a forward slash, an attacker can bypass this interception, allowing the request to be processed by the Worker. This results in an unvalidated fetch of arbitrary remote URLs, potentially leading to the same-origin policy violation by serving attacker-controlled content through the victim site's domain. Additionally, similar vulnerabilities exist in Cloudflare Workers with Assets and Cloudflare Pages, where private data could be exposed by exploiting the backslash bypass.

Impact

Exploitation allows for unrestricted loading of remote URLs, potentially leading to internal service exposure or phishing risks through domain abuse.

Reproduction

To reproduce this vulnerability, deploy a Next.js application using the Cloudflare adapter version prior to 1.3.0. Once deployed, send a request to the '/cdn-cgi/image/' endpoint, replacing the forward slashes with backslashes. If using a tool like curl, include the '--path-as-is' option to preserve the backslashes. The request will bypass Cloudflare's edge interception and reach the Worker, where it can fetch arbitrary remote URLs.

Remediation

Upgrade to '@opennextjs/cloudflare' version 1.3.0 or later. After upgrading, use the 'remotePatterns' filter in the Next.js configuration to allow-list external URLs with image assets.