Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40opennextjs/cloudflare@1.0.4
Typenpm
Namespace@opennextjs
Namecloudflare
Version1.0.4
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.17.1
Latest_non_vulnerable_version1.17.1
Affected_by_vulnerabilities
0
url VCID-9btn-s48k-c3cx
vulnerability_id VCID-9btn-s48k-c3cx
summary 
A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare's edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs.

For example: 

 https://victim-site.com/cdn-cgi\image/aaaa/https://attacker.com 

In this example, attacker-controlled content from attacker.com is served through the victim site's domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.

Note: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests.

Additionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi\... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-3125
reference_id
reference_type
scores
0
value 0.00012
scoring_system epss
scoring_elements 0.01913
published_at 2026-06-11T12:55:00Z
1
value 0.00012
scoring_system epss
scoring_elements 0.01928
published_at 2026-06-14T12:55:00Z
2
value 0.00012
scoring_system epss
scoring_elements 0.01918
published_at 2026-06-13T12:55:00Z
3
value 0.00012
scoring_system epss
scoring_elements 0.01917
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-3125
1
reference_url https://github.com/opennextjs/opennextjs-cloudflare/commit/f5bd138fd3c77e02f2aa4b9c76d55681e59e98b4
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/opennextjs/opennextjs-cloudflare/commit/f5bd138fd3c77e02f2aa4b9c76d55681e59e98b4
2
reference_url https://github.com/opennextjs/opennextjs-cloudflare/pull/1147
reference_id 1147
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:58:41Z/
url https://github.com/opennextjs/opennextjs-cloudflare/pull/1147
3
reference_url https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.17.1
reference_id 1.17.1
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:58:41Z/
url https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.17.1
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-3125
reference_id CVE-2026-3125
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-3125
5
reference_url https://www.cve.org/cverecord?id=CVE-2025-6087
reference_id cverecord?id=CVE-2025-6087
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:58:41Z/
url https://www.cve.org/cverecord?id=CVE-2025-6087
6
reference_url https://github.com/advisories/GHSA-c7mq-gh6q-6q7c
reference_id GHSA-c7mq-gh6q-6q7c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c7mq-gh6q-6q7c
7
reference_url https://github.com/opennextjs/opennextjs-cloudflare/security/advisories/GHSA-c7mq-gh6q-6q7c
reference_id GHSA-c7mq-gh6q-6q7c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/opennextjs/opennextjs-cloudflare/security/advisories/GHSA-c7mq-gh6q-6q7c
8
reference_url https://github.com/advisories/GHSA-rvpw-p7vw-wj3m
reference_id GHSA-rvpw-p7vw-wj3m
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:58:41Z/
url https://github.com/advisories/GHSA-rvpw-p7vw-wj3m
fixed_packages
0
url pkg:npm/%40opennextjs/cloudflare@1.17.1
purl pkg:npm/%40opennextjs/cloudflare@1.17.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540opennextjs/cloudflare@1.17.1
aliases CVE-2026-3125, GHSA-c7mq-gh6q-6q7c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9btn-s48k-c3cx
1
url VCID-z39u-kj79-xug8
vulnerability_id VCID-z39u-kj79-xug8
summary 
A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the /_next/image endpoint.

This issue allowed attackers to load remote resources from arbitrary hosts under the victim site’s domain for any site deployed using the Cloudflare adapter for Open Next. 




For example:

 https://victim-site.com/_next/image?url=https://attacker.com 

In this example, attacker-controlled content from attacker.com is served through the victim site’s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.




Impact:

  *  SSRF via unrestricted remote URL loading




  *  Arbitrary remote content loading




  *  Potential internal service exposure or phishing risks through domain abuse







Mitigation:

The following mitigations have been put in place:

  *  Server side updates to Cloudflare’s platform to restrict the content loaded via the /_next/image endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next




  *   Root cause fix https://github.com/opennextjs/opennextjs-cloudflare/pull/727  to the Cloudflare adapter for Open Next. The patched version of the adapter is found here  @opennextjs/cloudflare@1.3.0 https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.3.0 


  *   Package dependency update https://github.com/cloudflare/workers-sdk/pull/9608  to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare is found here:  create-cloudflare@2.49.3 https://www.npmjs.com/package/create-cloudflare/v/2.49.3 




In addition to the automatic mitigation deployed on Cloudflare’s platform, we encourage affected  users to upgrade to @opennext/cloudflare v1.3.0 and use the  remotePatterns  https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns  filter in Next config https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns  if they need to allow-list external urls with images assets.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-6087
reference_id
reference_type
scores
0
value 0.00501
scoring_system epss
scoring_elements 0.66553
published_at 2026-06-14T12:55:00Z
1
value 0.00501
scoring_system epss
scoring_elements 0.66447
published_at 2026-06-11T12:55:00Z
2
value 0.00501
scoring_system epss
scoring_elements 0.66555
published_at 2026-06-13T12:55:00Z
3
value 0.00501
scoring_system epss
scoring_elements 0.66541
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-6087
1
reference_url https://github.com/cloudflare/workers-sdk/pull/9608
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/cloudflare/workers-sdk/pull/9608
2
reference_url https://github.com/opennextjs/opennextjs-cloudflare/commit/36119c0f490c95b3d4f6e826d745b728c80625ab
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/opennextjs/opennextjs-cloudflare/commit/36119c0f490c95b3d4f6e826d745b728c80625ab
3
reference_url https://github.com/opennextjs/opennextjs-cloudflare/pull/727
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/opennextjs/opennextjs-cloudflare/pull/727
4
reference_url https://github.com/opennextjs/opennextjs-cloudflare/security/advisories/GHSA-rvpw-p7vw-wj3m
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/opennextjs/opennextjs-cloudflare/security/advisories/GHSA-rvpw-p7vw-wj3m
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-6087
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-6087
6
reference_url https://github.com/advisories/GHSA-rvpw-p7vw-wj3m
reference_id GHSA-rvpw-p7vw-wj3m
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rvpw-p7vw-wj3m
7
reference_url https://github.com/opennextjs/opennextjs-cloudflare
reference_id opennextjs-cloudflare
reference_type
scores
0
value 7.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-16T18:55:28Z/
url https://github.com/opennextjs/opennextjs-cloudflare
fixed_packages
0
url pkg:npm/%40opennextjs/cloudflare@1.3.0
purl pkg:npm/%40opennextjs/cloudflare@1.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9btn-s48k-c3cx
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540opennextjs/cloudflare@1.3.0
aliases CVE-2025-6087, GHSA-rvpw-p7vw-wj3m
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z39u-kj79-xug8
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540opennextjs/cloudflare@1.0.4