CVE-2025-6087

{"id": "CVE-2025-6087", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cna@cloudflare.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-16T19:15:33.837", "references": [{"url": "https://github.com/opennextjs/opennextjs-cloudflare", "source": "cna@cloudflare.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "cna@cloudflare.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the /_next/image endpoint.\n\nThis issue allowed attackers to load remote resources from arbitrary hosts under the victim site\u2019s domain for any site deployed using the Cloudflare adapter for Open Next.\u00a0\n\n\n\n\nFor example:\n\n https://victim-site.com/_next/image?url=https://attacker.com \n\nIn this example, attacker-controlled content from attacker.com is served through the victim site\u2019s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.\n\n\n\n\nImpact:\n\n * SSRF via unrestricted remote URL loading\n\n\n\n\n * Arbitrary remote content loading\n\n\n\n\n * Potential internal service exposure or phishing risks through domain abuse\n\n\n\n\n\n\n\nMitigation:\n\nThe following mitigations have been put in place:\n\n * Server side updates to Cloudflare\u2019s platform to restrict the content loaded via the\u00a0/_next/image\u00a0endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next\n\n\n\n\n * Root cause fix https://github.com/opennextjs/opennextjs-cloudflare/pull/727 \u00a0to the Cloudflare adapter for Open Next. The patched version of the adapter is found here\u00a0 @opennextjs/cloudflare@1.3.0 https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.3.0 \n\n\n * Package dependency update https://github.com/cloudflare/workers-sdk/pull/9608 \u00a0to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare is found here:\u00a0 create-cloudflare@2.49.3 https://www.npmjs.com/package/create-cloudflare/v/2.49.3 \n\n\n\n\nIn addition to the automatic mitigation deployed on Cloudflare\u2019s platform, we encourage affected users to upgrade to @opennext/cloudflare v1.3.0 and use the remotePatterns https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns filter in Next config https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns if they need to allow-list external urls with images assets."}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de Server-Side Request Forgery (SSRF) en el paquete @opennextjs/cloudflare. Esta vulnerabilidad se debe a una funci\u00f3n no implementada en el adaptador de Cloudflare para Open Next, que permit\u00eda a usuarios no autenticados acceder a contenido remoto arbitrario mediante el endpoint /_next/image. Este problema permit\u00eda a los atacantes cargar recursos remotos desde hosts arbitrarios bajo el dominio del sitio web v\u00edctima para cualquier sitio implementado con el adaptador de Cloudflare para Open Next. Por ejemplo: https://victim-site.com/_next/image?url=https://attacker.com. En este ejemplo, el contenido controlado por el atacante desde attacker.com se distribuye a trav\u00e9s del dominio del sitio web v\u00edctima (victim-site.com), lo que infringe la pol\u00edtica de mismo origen y podr\u00eda inducir a error a usuarios u otros servicios. Impacto: * SSRF mediante carga remota de URL sin restricciones * Carga remota arbitraria de contenido * Posible exposici\u00f3n interna del servicio o riesgos de phishing por abuso de dominio. Mitigaci\u00f3n: Se han implementado las siguientes mitigaciones: * Actualizaciones del servidor en la plataforma de Cloudflare para restringir el contenido cargado a trav\u00e9s del endpoint /_next/image a im\u00e1genes. La actualizaci\u00f3n mitiga autom\u00e1ticamente el problema en todos los sitios existentes y futuros implementados en Cloudflare que utilicen la versi\u00f3n afectada del adaptador de Cloudflare para Open Next. * Correcci\u00f3n de la causa ra\u00edz (https://github.com/opennextjs/opennextjs-cloudflare/pull/727) en el adaptador de Cloudflare para Open Next. La versi\u00f3n parcheada del adaptador se encuentra aqu\u00ed @opennextjs/cloudflare@1.3.0 https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.3.0 * Actualizaci\u00f3n de la dependencia del paquete https://github.com/cloudflare/workers-sdk/pull/9608 para create-cloudflare (c3) para usar la versi\u00f3n corregida del adaptador de Cloudflare para Open Next. La versi\u00f3n parcheada de create-cloudflare se encuentra aqu\u00ed: create-cloudflare@2.49.3 https://www.npmjs.com/package/create-cloudflare/v/2.49.3 Adem\u00e1s de la mitigaci\u00f3n autom\u00e1tica implementada en la plataforma de Cloudflare, recomendamos a los usuarios afectados que actualicen a @opennext/cloudflare v1.3.0 y utilicen el filtro remotePatterns https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns en la configuraci\u00f3n de Next https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns si necesitan incluir en la lista de permitidos URL externas con recursos de im\u00e1genes."}], "lastModified": "2025-06-17T20:50:23.507", "sourceIdentifier": "cna@cloudflare.com"}