{"vulnerability": "CVE-2025-6087", "sightings": [{"uuid": "9fa23e2d-b1ef-4ef1-b665-ba49e0b9db32", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-6087", "type": "seen", "source": "https://bsky.app/profile/geeknik.bsky.social/post/3lsh5ettopp2o", "content": "", "creation_timestamp": "2025-06-25T17:32:53.060302Z"}, {"uuid": "ef20597f-5209-43ef-b8dc-28a5e7916a18", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-6087", "type": "seen", "source": "https://infosec.exchange/users/cR0w/statuses/114694678161147224", "content": "", "creation_timestamp": "2025-06-16T19:25:01.314239Z"}, {"uuid": "7fc66a47-c060-4b66-ac4b-63bbf4ce48ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-6087", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3lrwkn2urjr2s", "content": "", "creation_timestamp": "2025-06-19T03:14:52.086954Z"}, {"uuid": "9b9fe902-ceb9-487f-a02d-d7d00020a9ea", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-60876", "type": "seen", "source": "https://bsky.app/profile/jos1264.social.skynetcloud.site.ap.brid.gy/post/3m5cnsr65gkx2", "content": "", "creation_timestamp": "2025-11-10T22:22:36.269519Z"}, {"uuid": "a407338e-d4d0-401a-b8e1-3ed12d8ba055", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2025-60876", "type": "seen", "source": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0316/", "content": "", "creation_timestamp": "2026-03-19T00:00:00.000000Z"}, {"uuid": "f8fedc5a-9aa3-4ac6-9d7c-c68be5fb0f54", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-6087", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/18520", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-6087\n\ud83d\udd25 CVSS Score: 7.8 (cvssV4_0, Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N)\n\ud83d\udd39 Description: A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the /_next/image endpoint.\n\nThis issue allowed attackers to load remote resources from arbitrary hosts under the victim site\u2019s domain for any site deployed using the Cloudflare adapter for Open Next.\u00a0\n\n\n\n\nFor example:\n\n https://victim-site.com/_next/image?url=https://attacker.com \n\nIn this example, attacker-controlled content from attacker.com is served through the victim site\u2019s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.\n\n\n\n\nImpact:\n\n  *  SSRF via unrestricted remote URL loading\n\n\n\n\n  *  Arbitrary remote content loading\n\n\n\n\n  *  Potential internal service exposure or phishing risks through domain abuse\n\n\n\n\n\n\n\nMitigation:\n\nThe following mitigations have been put in place:\n\n  *  Server side updates to Cloudflare\u2019s platform to restrict the content loaded via the\u00a0/_next/image\u00a0endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next\n\n\n\n\n  *   Root cause fix https://github.com/opennextjs/opennextjs-cloudflare/pull/727 \u00a0to the Cloudflare adapter for Open Next. The patched version of the adapter is found here\u00a0 @opennextjs/cloudflare@1.3.0 https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.3.0 \n\n\n  *   Package dependency update https://github.com/cloudflare/workers-sdk/pull/9608 \u00a0to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare is found here:\u00a0 create-cloudflare@2.49.3 https://www.npmjs.com/package/create-cloudflare/v/2.49.3 \n\n\n\n\nIn addition to the automatic mitigation deployed on Cloudflare\u2019s platform, we encourage affected  users to upgrade to @opennext/cloudflare v1.3.0 and use the  remotePatterns  https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns  filter in Next config https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns  if they need to allow-list external urls with images assets.\n\ud83d\udccf Published: 2025-06-16T18:30:44.180Z\n\ud83d\udccf Modified: 2025-06-16T18:55:53.269Z\n\ud83d\udd17 References:\n1. https://github.com/opennextjs/opennextjs-cloudflare", "creation_timestamp": "2025-06-16T19:41:02.000000Z"}]}