[smlx]

next.js has a history of similar vulnerabilities.

I was made aware recently of a vulnerability that was fixed by this patch: https://github.com/vercel/next.js/pull/73482/files

In this vulnerability, adding a 'x-middleware-rewrite: https://www.example.com' header would cause the server to respond with the contents of example.com. i.e. the worlds dumbest SSRF.

Note that there is no CVE for this vulnerability, nor is there any clear information about which versions are affected.

Also note that according to the published support policy for nextjs only "stable" (15.2.x) and "canary" (15.3.x) receive patches. But for the vulnerability reported here they are releasing patches for 14.x and 13.x apparently?

https://github.com/vercel/next.js/blob/canary/contributing/r...

IMO you are playing with fire using nextjs for anything where you care about security and maintenance. Which seems insane for a project with 130k+ Github stars and supported by a major company like vercel.

[czk]

Heh, that commit you linked added a bunch of headers to INTERNAL_HEADERS (to prevent external use) but they forgot to add the one in this particular vulnerability. This was done in December 2024. There were probably a myriad of vulnerabilities with these headers before that commit. Wild it wasn’t a CVE.

[tmpz22]

Look, we need to show some restraint here and some class. Vercel has only raised $538 million dollars, its not reasonable to be so critical of their security practices when weighed against the business value of their products.

[lilnasy]

Not to mention the same critical vulnerability in Clerk's Next.js SDK, which should've been a wake up call.

https://clerk.com/changelog/2024-02-02#:~:text=Our%20solutio...

[yawaramin]

'Next.js has published 16 security advisories since 2016' - https://nextjs.org/blog/cve-2025-29927

At first read that sounds very reasonable! But then you realize that not all vulnerabilities got a security advisory...