![Apple's F1 Camera Rig Revealed [Video]](https://www.iclarified.com/images/news/97651/97651/97651-640.jpg)
![Apple Shares New Apple Arcade Ad: 'Hold That Train!' [Video]](https://www.iclarified.com/images/news/97653/97653/97653-640.jpg)
![Apple Shares New Shot on iPhone Film: 'Big Man' [Video]](https://www.iclarified.com/images/news/97654/97654/97654-640.jpg)
_Brain_light_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![[The AI Show Episode 153]: OpenAI Releases o3-Pro, Disney Sues Midjourney, Altman: “Gentle Singularity” Is Here, AI and Jobs & News Sites Getting Crushed by AI Search](https://www.marketingaiinstitute.com/hubfs/ep%20153%20cover.png)
![[DEALS] Internxt Cloud Storage Lifetime Subscription (20TB) (89% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
Open Next for Cloudflare SSRF Vulnerability Let Attackers Load Remote Resources from Arbitrary Hosts
A high-severity Server-Side Request Forgery (SSRF) vulnerability has been identified in the @opennextjs/cloudflare package, enabling attackers to exploit the /_next/image endpoint to load remote resources from arbitrary hosts. The vulnerability, assigned CVE-2025-6087 with a CVSS score of 7.8, affects all versions prior to 1.3.0 and was disclosed by security researcher Edward Coristine. SSRF Vulnerability in […] The post Open Next for Cloudflare SSRF Vulnerability Let Attackers Load Remote Resources from Arbitrary Hosts appeared first on Cyber Security News.
A high-severity Server-Side Request Forgery (SSRF) vulnerability has been identified in the @opennextjs/cloudflare package, enabling attackers to exploit the /_next/image endpoint to load remote resources from arbitrary hosts.
The vulnerability, assigned CVE-2025-6087 with a CVSS score of 7.8, affects all versions prior to 1.3.0 and was disclosed by security researcher Edward Coristine.
SSRF Vulnerability in Cloudflare Adapter for Open Next
The SSRF vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, specifically targeting the /_next/image endpoint.
This security flaw allows unauthenticated users to proxy arbitrary remote content through victim domains without proper validation or restrictions.
The attack vector operates through a simple URL manipulation technique where malicious actors can craft requests such as https://victim-site.com/_next/image?url=https://attacker.com.
The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and demonstrates significant exploitability metrics with Network attack vector, Low complexity, and None required privileges or user interaction.
This combination makes the vulnerability particularly dangerous as it requires no authentication or special conditions to exploit.
The security impact encompasses multiple attack vectors, including SSRF via unrestricted remote URL loading and arbitrary remote content loading.
Attackers can leverage this vulnerability to serve malicious content through legitimate victim domains, effectively violating the same-origin policy and potentially misleading users or automated services.
The vulnerability presents risks for internal service exposure and phishing attacks through domain abuse.
When exploited, attacker-controlled content from external domains appears to originate from the victim’s trusted domain, creating opportunities for social engineering attacks and bypassing security controls that rely on domain reputation.
Risk Factors Details Affected Products @opennextjs/cloudflare npm package (versions < 1.3.0) Impact – SSRF via arbitrary remote URL loading- Domain-based phishing risks- Internal service exposure Exploit Prerequisites – Unpatched OpenNext/Cloudflare deployment- Publicly accessible /_next/image endpoint- No authentication requirements CVSS 3.1 Score 7.5 (High)
Mitigation Measures
Cloudflare has implemented comprehensive mitigation strategies, including server-side platform updates that automatically restrict content loaded via the /_next/image endpoint to image files only.
This automatic mitigation protects all existing and future deployments using affected versions without requiring immediate user action.
The root cause fix has been delivered through Pull Request #727 to the Cloudflare adapter, with the patched version available as @opennextjs/cloudflare@1.3.0.
Additionally, Pull Request cloudflare/workers-sdk#9608 updates the create-cloudflare (c3) dependency to use the secure version, available as create-cloudflare@2.49.3.
Security teams are strongly encouraged to upgrade to the patched version and implement remotePatterns filters in Next.js configuration files to create allow-lists for external image assets, providing an additional layer of protection against similar vulnerabilities.
Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.
The post Open Next for Cloudflare SSRF Vulnerability Let Attackers Load Remote Resources from Arbitrary Hosts appeared first on Cyber Security News.
