Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for @opennextjs/cloudflare by opennextjs

    CVE-2026-3125 (GCVE-0-2026-3125)

    Vulnerability from nvd – Published: 2026-03-04 18:14 – Updated: 2026-03-04 18:58
    VLAI
    Title
    SSRF vulnerability in opennextjs-cloudflare via /cdn-cgi/ path normalization bypass
    Summary
    A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare's edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs. For example: https://victim-site.com/cdn-cgi\image/aaaa/https://attacker.com In this example, attacker-controlled content from attacker.com is served through the victim site's domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services. Note: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests. Additionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi\... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    • CWE-706 - Use of Incorrectly-Resolved Name or Reference
    Assigner
    Impacted products
    Vendor Product Version
    opennextjs @opennextjs/cloudflare Affected: 0 , < 1.17.1 (npm)
    Create a notification for this product.
    Credits
    https://x.com/ez_z3r
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3125",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-04T18:58:41.207814Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-04T18:58:56.614Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.npmjs.com/package/@opennextjs/cloudflare",
              "defaultStatus": "unaffected",
              "modules": [
                "packages/cloudflare/src/cli/templates/worker.ts"
              ],
              "packageName": "@opennextjs/cloudflare",
              "platforms": [
                "Cloudflare Workers"
              ],
              "product": "@opennextjs/cloudflare",
              "repo": "https://github.com/opennextjs/opennextjs-cloudflare",
              "vendor": "opennextjs",
              "versions": [
                {
                  "lessThan": "1.17.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "npm"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "https://x.com/ez_z3r"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eA Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eThe @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare\u0027s edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eFor example: \u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://victim-site.com/cdn-cgi\\image/aaaa/https://attacker.com\"\u003ehttps://victim-site.com/cdn-cgi\\image/aaaa/https://attacker.com\u003c/a\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eIn this example, attacker-controlled content from attacker.com is served through the victim site\u0027s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eNote: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests.\u003c/span\u003e\u003c/p\u003e\u003cspan style=\"background-color: transparent;\"\u003eAdditionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\\.\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e.. instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare\u0027s edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs.\n\nFor example: \n\n https://victim-site.com/cdn-cgi\\image/aaaa/https://attacker.com \n\nIn this example, attacker-controlled content from attacker.com is served through the victim site\u0027s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.\n\nNote: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests.\n\nAdditionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi\\... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            },
            {
              "capecId": "CAPEC-267",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-267 Leverage Alternate Encoding"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-706",
                  "description": "CWE-706 Use of Incorrectly-Resolved Name or Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-04T18:14:31.111Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/opennextjs/opennextjs-cloudflare/pull/1147"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.17.1"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://github.com/advisories/GHSA-rvpw-p7vw-wj3m"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/cverecord?id=CVE-2025-6087"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eServer-side updates to Cloudflare\u0027s Workers platform to block backslash path normalization bypasses for /cdn-cgi requests. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare Workers.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Server-side updates to Cloudflare\u0027s Workers platform to block backslash path normalization bypasses for /cdn-cgi requests. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare Workers."
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eIn addition to the platform level fix, \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/opennextjs/opennextjs-cloudflare/pull/1147\"\u003e\u003cspan style=\"background-color: transparent;\"\u003eroot cause fix\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e has been implemented to the Cloudflare adapter for Open Next. The patched version of the adapter is found at @opennextjs/cloudflare@1.17.1 (\u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.npmjs.com/package/@opennextjs/cloudflare\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://www.npmjs.com/package/@opennextjs/cloudflare\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e)\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "In addition to the platform level fix,  root cause fix https://github.com/opennextjs/opennextjs-cloudflare/pull/1147  has been implemented to the Cloudflare adapter for Open Next. The patched version of the adapter is found at @opennextjs/cloudflare@1.17.1 ( https://www.npmjs.com/package/@opennextjs/cloudflare https://www.npmjs.com/package/@opennextjs/cloudflare )"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/opennextjs/opennextjs-cloudflare/pull/1150\"\u003e\u003cspan style=\"background-color: transparent;\"\u003eDependency update\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e to the Next.js template used with create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Dependency update https://github.com/opennextjs/opennextjs-cloudflare/pull/1150  to the Next.js template used with create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "SSRF vulnerability in opennextjs-cloudflare via /cdn-cgi/ path normalization bypass",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2026-3125",
        "datePublished": "2026-03-04T18:14:31.111Z",
        "dateReserved": "2026-02-24T14:15:54.385Z",
        "dateUpdated": "2026-03-04T18:58:56.614Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3125 (GCVE-0-2026-3125)

    Vulnerability from cvelistv5 – Published: 2026-03-04 18:14 – Updated: 2026-03-04 18:58
    VLAI
    Title
    SSRF vulnerability in opennextjs-cloudflare via /cdn-cgi/ path normalization bypass
    Summary
    A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare's edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs. For example: https://victim-site.com/cdn-cgi\image/aaaa/https://attacker.com In this example, attacker-controlled content from attacker.com is served through the victim site's domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services. Note: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests. Additionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi\... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    • CWE-706 - Use of Incorrectly-Resolved Name or Reference
    Assigner
    Impacted products
    Vendor Product Version
    opennextjs @opennextjs/cloudflare Affected: 0 , < 1.17.1 (npm)
    Create a notification for this product.
    Credits
    https://x.com/ez_z3r
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3125",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-04T18:58:41.207814Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-04T18:58:56.614Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.npmjs.com/package/@opennextjs/cloudflare",
              "defaultStatus": "unaffected",
              "modules": [
                "packages/cloudflare/src/cli/templates/worker.ts"
              ],
              "packageName": "@opennextjs/cloudflare",
              "platforms": [
                "Cloudflare Workers"
              ],
              "product": "@opennextjs/cloudflare",
              "repo": "https://github.com/opennextjs/opennextjs-cloudflare",
              "vendor": "opennextjs",
              "versions": [
                {
                  "lessThan": "1.17.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "npm"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "https://x.com/ez_z3r"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eA Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eThe @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare\u0027s edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eFor example: \u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://victim-site.com/cdn-cgi\\image/aaaa/https://attacker.com\"\u003ehttps://victim-site.com/cdn-cgi\\image/aaaa/https://attacker.com\u003c/a\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eIn this example, attacker-controlled content from attacker.com is served through the victim site\u0027s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eNote: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests.\u003c/span\u003e\u003c/p\u003e\u003cspan style=\"background-color: transparent;\"\u003eAdditionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\\.\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e.. instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare\u0027s edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs.\n\nFor example: \n\n https://victim-site.com/cdn-cgi\\image/aaaa/https://attacker.com \n\nIn this example, attacker-controlled content from attacker.com is served through the victim site\u0027s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.\n\nNote: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests.\n\nAdditionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi\\... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            },
            {
              "capecId": "CAPEC-267",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-267 Leverage Alternate Encoding"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-706",
                  "description": "CWE-706 Use of Incorrectly-Resolved Name or Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-04T18:14:31.111Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/opennextjs/opennextjs-cloudflare/pull/1147"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.17.1"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://github.com/advisories/GHSA-rvpw-p7vw-wj3m"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/cverecord?id=CVE-2025-6087"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eServer-side updates to Cloudflare\u0027s Workers platform to block backslash path normalization bypasses for /cdn-cgi requests. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare Workers.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Server-side updates to Cloudflare\u0027s Workers platform to block backslash path normalization bypasses for /cdn-cgi requests. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare Workers."
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eIn addition to the platform level fix, \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/opennextjs/opennextjs-cloudflare/pull/1147\"\u003e\u003cspan style=\"background-color: transparent;\"\u003eroot cause fix\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e has been implemented to the Cloudflare adapter for Open Next. The patched version of the adapter is found at @opennextjs/cloudflare@1.17.1 (\u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.npmjs.com/package/@opennextjs/cloudflare\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://www.npmjs.com/package/@opennextjs/cloudflare\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e)\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "In addition to the platform level fix,  root cause fix https://github.com/opennextjs/opennextjs-cloudflare/pull/1147  has been implemented to the Cloudflare adapter for Open Next. The patched version of the adapter is found at @opennextjs/cloudflare@1.17.1 ( https://www.npmjs.com/package/@opennextjs/cloudflare https://www.npmjs.com/package/@opennextjs/cloudflare )"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/opennextjs/opennextjs-cloudflare/pull/1150\"\u003e\u003cspan style=\"background-color: transparent;\"\u003eDependency update\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e to the Next.js template used with create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Dependency update https://github.com/opennextjs/opennextjs-cloudflare/pull/1150  to the Next.js template used with create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "SSRF vulnerability in opennextjs-cloudflare via /cdn-cgi/ path normalization bypass",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2026-3125",
        "datePublished": "2026-03-04T18:14:31.111Z",
        "dateReserved": "2026-02-24T14:15:54.385Z",
        "dateUpdated": "2026-03-04T18:58:56.614Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }