DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-3125: CVE-2026-3125: SSRF via Differential Path Normalization in @opennextjs/cloudflare

#security #cve #cybersecurity

CVE-2026-3125: SSRF via Differential Path Normalization in @opennextjs/cloudflare

Vulnerability ID: CVE-2026-3125
CVSS Score: 7.7
Published: 2026-03-05

A high-severity Server-Side Request Forgery (SSRF) vulnerability exists in the @opennextjs/cloudflare adapter due to differential path normalization between Cloudflare's Edge infrastructure and the Worker runtime. Attackers can bypass edge security policies protecting the '/cdn-cgi/' namespace by using backslashes in the URL, triggering a development-only proxy handler in production environments.

TL;DR

Improper handling of backslash characters allows attackers to bypass Cloudflare Edge interception and access a development image proxy in the OpenNext Worker. This leads to SSRF, enabling arbitrary URL fetching and potential content serving from the victim's domain.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918 (SSRF)
  • CVSS v4.0: 7.7 (High)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Impact: Security Bypass & Proxying
  • Exploit Status: Proof-of-Concept Available

Affected Systems

  • @opennextjs/cloudflare adapter for Next.js
  • Next.js applications deployed to Cloudflare Workers using OpenNext
  • @opennextjs/cloudflare: < 1.17.1 (Fixed in: 1.17.1)

Code Analysis

Commit: f5bd138

Fix: cdn-cgi image proxy security patch

export function parseCdnCgiImageRequest(pathname: string) { ... }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Strict Input Validation
  • Defense in Depth
  • Least Privilege

Remediation Steps:

  1. Update the @opennextjs/cloudflare dependency to version 1.17.1 or later immediately.
  2. Redeploy the affected Cloudflare Worker to ensure the new code is active.
  3. Verify that no WAF rules were relying solely on the /cdn-cgi/ path prefix without accounting for normalization variations.
  4. Review access logs for requests containing backslashes in the path (\) to identify past exploitation attempts.

References

Read the full report for CVE-2026-3125 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)