A critical Server-Side Request Forgery (SSRF) vulnerability has been discovered in the @opennextjs/cloudflare package, allowing unauthenticated attackers to proxy arbitrary remote content through victim websites.
The security vulnerability, identified as GHSA-rvpw-p7vw-wj3m, affected all versions prior to 1.3.0 and stemmed from an unimplemented feature in the Cloudflare adapter for Open Next.
Security researcher Edward Coristine responsibly disclosed the vulnerability, which has since been patched through coordinated efforts between Cloudflare and the Open Next development team.
The SSRF vulnerability originated from a critical oversight in the /_next/image endpoint implementation within the Cloudflare adapter for Open Next.
This endpoint, designed to handle image optimization and delivery in Next.js applications, lacked proper validation and restrictions on remote URL sources.
The vulnerability allowed attackers to craft malicious requests that could fetch content from any external domain and serve it through the victim’s website domain.
The exploitation mechanism was straightforward yet dangerous. Attackers could construct URLs following the pattern https://victim-site.com/_next/image?url=https://attacker.com, effectively turning legitimate websites into unwitting proxies for malicious content.
This bypass occurred because the endpoint failed to implement proper URL validation, content type verification, or domain allowlisting mechanisms that would typically prevent such abuse.
The vulnerability’s technical severity was amplified by its simplicity and the fact that it required no authentication or special privileges to exploit.
Any external party could immediately leverage affected sites to serve arbitrary content, making this a particularly dangerous attack vector for widespread exploitation across the ecosystem of sites using the vulnerable Cloudflare adapter.
Cloudflare SSRF Vulnerability
The security implications of this SSRF vulnerability extended far beyond simple content proxying.
By serving attacker-controlled content through legitimate domains, the vulnerability created opportunities for sophisticated social engineering attacks and potential circumvention of security controls that rely on domain-based trust relationships.
Users and automated systems interacting with affected sites could be misled into believing malicious content originated from trusted sources.
The vulnerability posed significant risks for internal service exposure, as attackers could potentially probe internal networks and services through the compromised endpoint.
Additionally, the domain abuse potential created serious phishing risks, as malicious actors could leverage the reputation and trust associated with legitimate domains to distribute harmful content or conduct credential harvesting attacks.
Organizations using affected versions faced potential compliance and liability issues, as their domains could unknowingly serve content that violated policies or legal requirements.
The broad scope of potential impact made this vulnerability particularly concerning for enterprise deployments and high-traffic applications relying on the affected Cloudflare adapter.
Mitigations
Cloudflare responded swiftly to the vulnerability disclosure by implementing multiple layers of mitigation.
The company deployed server-side updates to their platform that automatically restrict content loaded via the /_next/image endpoint to images only, providing immediate protection for all existing and future deployments using affected versions of the adapter.
The root cause fix was implemented through pull request #727 to the Cloudflare adapter for Open Next, resulting in the patched version @opennextjs/cloudflare@1.3.0.
Simultaneously, create-cloudflare received updates through pull request #9608 to ensure new deployments use the secure version, with create-cloudflare@2.49.3 incorporating the necessary fixes.
Beyond the automatic platform-level mitigations, security experts recommend that affected users upgrade to version 1.3.0 and implement remotePatterns filtering in their Next.js configuration to maintain granular control over external image sources and prevent similar vulnerabilities in the future.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
%20vulnerability%20has%20been%20discovered%20in%20the%20@opennextjs/cloudflare%20package.){kind=link}