Summary Impact Resolution Workarounds Credit References A vulnerability affecting has been addressed. It impacted versions prior to and , and involved a risk introduced by misconfigured usage of the function within middleware. Applications that reflected a user's request headers in this function, rather than passing them through the object, could unintentionally allow the server to issue requests to attacker-controlled destinations. Next.js Middlewarev14.2.32v15.4.7Server-Side Request Forgery (SSRF)NextResponse.next()request A patch applied on August 25th, 2025 eliminated exposure for Vercel customers running the affected versions.

In affected configurations, an attacker could: This issue is exploitable in self-hosted deployments where developers use custom middleware logic and do not adhere to documented usage of . It is on Vercel infrastructure, which isolates and protects internal request behavior.NextResponse.next({ request })not exploitable The issue was resolved by updating the internal middleware logic to prevent unsafe fallback behavior when is omitted from the call. This ensures the origin server behavior cannot be unintentionally altered by user-supplied headers or…