{"id":"CVE-2026-3125","details":"A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare's edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs.\n\nFor example: \n\n https://victim-site.com/cdn-cgi\\image/aaaa/https://attacker.com \n\nIn this example, attacker-controlled content from attacker.com is served through the victim site's domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.\n\nNote: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests.\n\nAdditionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi\\... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.","aliases":["CVE-2025-6087","GHSA-c7mq-gh6q-6q7c","GHSA-rvpw-p7vw-wj3m"],"modified":"2026-04-02T13:23:55.351401Z","published":"2026-03-04T19:16:19.730Z","references":[{"type":"ADVISORY","url":"https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.17.1"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-rvpw-p7vw-wj3m"},{"type":"ADVISORY","url":"https://www.cve.org/cverecord?id=CVE-2025-6087"},{"type":"FIX","url":"https://github.com/opennextjs/opennextjs-cloudflare/pull/1147"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opennextjs/opennextjs-cloudflare","events":[{"introduced":"0"},{"fixed":"206794f1341023294147e7ef0b09146b7c7caaeb"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.17.1"}]}}],"versions":["@opennextjs/cloudflare@0.0.3","@opennextjs/cloudflare@0.1.0","@opennextjs/cloudflare@0.1.1","@opennextjs/cloudflare@0.2.0","@opennextjs/cloudflare@0.2.1","@opennextjs/cloudflare@0.3.0","@opennextjs/cloudflare@0.3.1","@opennextjs/cloudflare@0.3.10","@opennextjs/cloudflare@0.3.2","@opennextjs/cloudflare@0.3.3","@opennextjs/cloudflare@0.3.4","@opennextjs/cloudflare@0.3.5","@opennextjs/cloudflare@0.3.6","@opennextjs/cloudflare@0.3.7","@opennextjs/cloudflare@0.3.8","@opennextjs/cloudflare@0.3.9","@opennextjs/cloudflare@0.4.0","@opennextjs/cloudflare@0.4.1","@opennextjs/cloudflare@0.4.2","@opennextjs/cloudflare@0.4.3","@opennextjs/cloudflare@0.4.4","@opennextjs/cloudflare@0.4.5","@opennextjs/cloudflare@0.4.6","@opennextjs/cloudflare@0.4.7","@opennextjs/cloudflare@0.4.8","@opennextjs/cloudflare@0.5.0","@opennextjs/cloudflare@0.5.1","@opennextjs/cloudflare@0.5.10","@opennextjs/cloudflare@0.5.11","@opennextjs/cloudflare@0.5.12","@opennextjs/cloudflare@0.5.2","@opennextjs/cloudflare@0.5.3","@opennextjs/cloudflare@0.5.4","@opennextjs/cloudflare@0.5.5","@opennextjs/cloudflare@0.5.6","@opennextjs/cloudflare@0.5.7","@opennextjs/cloudflare@0.5.8","@opennextjs/cloudflare@0.5.9","@opennextjs/cloudflare@0.6.0","@opennextjs/cloudflare@0.6.1","@opennextjs/cloudflare@0.6.2","@opennextjs/cloudflare@0.6.3","@opennextjs/cloudflare@0.6.4","@opennextjs/cloudflare@0.6.5","@opennextjs/cloudflare@0.6.6","@opennextjs/cloudflare@1.0.0","@opennextjs/cloudflare@1.0.0-beta.0","@opennextjs/cloudflare@1.0.0-beta.1","@opennextjs/cloudflare@1.0.0-beta.2","@opennextjs/cloudflare@1.0.0-beta.3","@opennextjs/cloudflare@1.0.0-beta.4","@opennextjs/cloudflare@1.0.1","@opennextjs/cloudflare@1.0.2","@opennextjs/cloudflare@1.0.3","@opennextjs/cloudflare@1.0.4","@opennextjs/cloudflare@1.1.0","@opennextjs/cloudflare@1.10.0","@opennextjs/cloudflare@1.10.1","@opennextjs/cloudflare@1.11.0","@opennextjs/cloudflare@1.11.1","@opennextjs/cloudflare@1.12.0","@opennextjs/cloudflare@1.13.0","@opennextjs/cloudflare@1.13.1","@opennextjs/cloudflare@1.14.0","@opennextjs/cloudflare@1.14.1","@opennextjs/cloudflare@1.14.10","@opennextjs/cloudflare@1.14.2","@opennextjs/cloudflare@1.14.3","@opennextjs/cloudflare@1.14.4","@opennextjs/cloudflare@1.14.5","@opennextjs/cloudflare@1.14.6","@opennextjs/cloudflare@1.14.7","@opennextjs/cloudflare@1.14.8","@opennextjs/cloudflare@1.14.9","@opennextjs/cloudflare@1.15.0","@opennextjs/cloudflare@1.15.1","@opennextjs/cloudflare@1.16.0","@opennextjs/cloudflare@1.16.1","@opennextjs/cloudflare@1.16.2","@opennextjs/cloudflare@1.16.3","@opennextjs/cloudflare@1.16.4","@opennextjs/cloudflare@1.16.5","@opennextjs/cloudflare@1.16.6","@opennextjs/cloudflare@1.17.0","@opennextjs/cloudflare@1.2.0","@opennextjs/cloudflare@1.2.1","@opennextjs/cloudflare@1.3.0","@opennextjs/cloudflare@1.3.1","@opennextjs/cloudflare@1.4.0","@opennextjs/cloudflare@1.5.0","@opennextjs/cloudflare@1.5.1","@opennextjs/cloudflare@1.5.2","@opennextjs/cloudflare@1.5.3","@opennextjs/cloudflare@1.6.0","@opennextjs/cloudflare@1.6.1","@opennextjs/cloudflare@1.6.2","@opennextjs/cloudflare@1.6.3","@opennextjs/cloudflare@1.6.4","@opennextjs/cloudflare@1.6.5","@opennextjs/cloudflare@1.7.0","@opennextjs/cloudflare@1.7.1","@opennextjs/cloudflare@1.8.0","@opennextjs/cloudflare@1.8.1","@opennextjs/cloudflare@1.8.2","@opennextjs/cloudflare@1.8.3","@opennextjs/cloudflare@1.8.4","@opennextjs/cloudflare@1.8.5","@opennextjs/cloudflare@1.9.0","@opennextjs/cloudflare@1.9.1","@opennextjs/cloudflare@1.9.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3125.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}