chore(deps): update dependency @opennextjs/cloudflare to v1.17.1 [security]#668
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency @opennextjs/cloudflare to v1.17.1 [security]#668renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
|
Version Preview URL: https://fe612341-web-ruler.nemolize.workers.dev |
renovate
Bot
force-pushed
the
renovate/npm-opennextjs-cloudflare-vulnerability
branch
from
a9f14bd to
1b31926
Compare
renovate
Bot
force-pushed
the
renovate/npm-opennextjs-cloudflare-vulnerability
branch
from
1b31926 to
74e7cf0
Compare
renovate
Bot
force-pushed
the
renovate/npm-opennextjs-cloudflare-vulnerability
branch
from
74e7cf0 to
2b4d9b0
Compare
renovate
Bot
changed the title
auto-merge was automatically disabled
April 27, 2026 17:36
Pull request was closed
renovate
Bot
deleted the
renovate/npm-opennextjs-cloudflare-vulnerability
branch
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-opennextjs-cloudflare-vulnerability
branch
3 times, most recently
from
c602c12 to
a9ea8e1
Compare
renovate
Bot
force-pushed
the
renovate/npm-opennextjs-cloudflare-vulnerability
branch
from
a9ea8e1 to
6f003ac
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.14.3→1.17.1opennextjs-cloudflare has SSRF vulnerability via /cdn-cgi/ path normalization bypass
CVE-2026-3125 / GHSA-c7mq-gh6q-6q7c
More information
Details
A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.
The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare's edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs.
For example: https://victim-site.com/cdn-cgi\image/aaaa/https://attacker.com
In this example, attacker-controlled content from attacker.com is served through the victim site's domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.
Note: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests.
Additionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.
Impact
Credits
Disclosed responsibly by security researcher @Ezzer17.
Mitigations
The following mitigations have been put in place:
Server-side updates to Cloudflare's Workers platform to block backslash path normalization bypasses for /cdn-cgi requests. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare Workers.
In addition to the platform level fix, Root cause fix has been implemented to the Cloudflare adapter for Open Next. The patched version of the adapter is found at @opennextjs/cloudflare@1.17.1 (https://www.npmjs.com/package/@​opennextjs/cloudflare)
Dependency update to the Next.js template used with create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. Despite the automatic mitigation deployed on Cloudflare's platform, we encourage affected users to upgrade to the patched version of @opennextjs/cloudflare.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
opennextjs/opennextjs-cloudflare (@opennextjs/cloudflare)
v1.17.1Compare Source
Patch Changes
f5bd138Thanks @vicb! - make dev /cdn-cgi/image behaves like prod for consistencyv1.17.0Compare Source
Minor Changes
25d5835Thanks @dario-piotrowicz! - Update themigratecommand to attempt to create an R2 bucket for caching, if that is not possible an application without caching enabled will be generated instead.v1.16.6Compare Source
Patch Changes
4487f1fThanks @james-elicx! - Fix the CLI potentially setting a future compatibility date in the wrangler config when workerd has published a version matching a future date, by capping to the current date.v1.16.5Compare Source
Patch Changes
#1127
2b437f1Thanks @dario-piotrowicz! - In themigratecommand, add an initial step to create a Next.js config file (required by open-next) if it doesn't exist#1126
8c3a36eThanks @alex-all3dp! - fix: prevent Worker hang on HEAD requests to static assetsv1.16.4Compare Source
Patch Changes
#1122
6c94a4aThanks @dario-piotrowicz! - Inmigratecommand, avoid adding unnecessary newlines when creating files#1122
6c94a4aThanks @dario-piotrowicz! - fixmigratecommand incorrectly erroring if the target application doesn't have apublicdirectory#1122
6c94a4aThanks @dario-piotrowicz! - Bump@opennextjs/awsto 3.9.16migratecommand not updating Next.js config filesSee details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.16
#1097
fea645fThanks @dario-piotrowicz! - Add--helpand--versionto theopennextjs-cloudflareCLIImprove the
opennextjs-cloudflareCLI by:opennextjs-cloudflare foo) display a clear and helpful error message-h|--helpflag to display the CLI's help message-v|--versionflag to display the package's versionv1.16.3Compare Source
Patch Changes
#1113
09c41f1Thanks @anonrig! - bump@opennextjs/awsto 3.9.15See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.15
v1.16.2Compare Source
Patch Changes
e6938a0Thanks @vicb! - allow using a regional cache with KVv1.16.1Compare Source
Patch Changes
8676c78Thanks @vicb! - EmptyNextNodeServer#handleNextImageRequestto avoid pulling unneeded deps (in #1098)v1.16.0Compare Source
Minor Changes
#1083
b062597Thanks @dario-piotrowicz! - feature: addmigratecommand to set up OpenNext for Cloudflare adapterThis command helps users migrate existing Next.js applications to the OpenNext Cloudflare adapter by automatically setting up all necessary configuration files, dependencies, and scripts.
To use the command simply run:
npx opennextjs-cloudflare migratePatch Changes
#1092
4279043Thanks @vicb! - Check for supported Next versionThe build will now error for unsupported Next version which may contain unpatched security vulnerabilities.
You can bypass the check using the
--dangerouslyUseUnsupportedNextVersionflag.v1.15.1Compare Source
Patch Changes
74302ecThanks @vicb! - fix the detection of the runtime (webpack vs turbopack)v1.15.0Compare Source
Minor Changes
ae3d43dThanks @vicb! - Next 16 is now supportedPatch Changes
#1076
c99eefdThanks @vicb! - fix: do not bundle og when not usedThis saves ~500kB when og is not used
#1079
6ac789aThanks @vicb! - fix: use the correct runtime (i.e. webpack or turbopack)#1078
249f738Thanks @vicb! - drop unused react-dom modulesThis saves ~500kB on the output bundle
v1.14.10Compare Source
Patch Changes
#1071
886c742Thanks @vicb! - fix: patch Next config for missing fields.There was a regression in Next 16.1.0 (vercel/next.js#86830) and some fields were missing in the config.
The Next team fixed that in 16.1.4 (vercel/next.js#88733).
This PR introduce a patch for 16.1.0-16.1.3
v1.14.9Compare Source
Patch Changes
#1070
f7c6b3aThanks @vicb! - bump@opennextjs/awsto 3.9.8See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.8
#1057
0230cbeThanks @vicb! - Do not inject setImmediate/clearImmediate in the global scope#1069
4ee4ba3Thanks @vicb! - Check that wrangler is >= 4.59.2 when building Next 16.1+.To ensure
workerdhas a required fix tosetImmediatev1.14.8Compare Source
Patch Changes
9222070Thanks @vicb! - fix r2 bulk put to respect bucket jurisdictionv1.14.7Compare Source
Patch Changes
d447125Thanks @vicb! - Support composable cache in Next 16v1.14.6Compare Source
Patch Changes
#1043
c83cb83Thanks @vicb! - fix for CVE-2025-67779See https://nextjs.org/blog/security-update-2025-12-11
v1.14.5Compare Source
Patch Changes
#1042
763c4ecThanks @vicb! - Bump Next, React, and @opennextjs/aws to fix vulnerabilities (CVE-2025-55184 and CVE-2025-55183)See https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
See https://nextjs.org/blog/security-update-2025-12-11
See https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.5
#1034
721bff0Thanks @james-elicx! - output more wrangler command logs when the command fails#1023
a4a2f02Thanks @dario-piotrowicz! - When runningwrangler deployadd aOPEN_NEXT_DEPLOYenvironment variable to let wrangler know that it is being run by open-nextv1.14.4Compare Source
Patch Changes
#1020
07919d8Thanks @dario-piotrowicz! - Add missing WORKER_SELF_REFERENCE service binding in the wrangler.jsonc that the CLI creates#1032
1de4899Thanks @vicb! - fix(images): allow any local path when no localPatterns are specifiedConfiguration
📅 Schedule: (in timezone Asia/Tokyo)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.