Mitigations put in place for SSRF in @opennextjs/cloudflare
#23068
Conversation
|
This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:
|
|
|
||
| **Package dependency update:** Pull request [cloudflare/workers-sdk#9608](https://github.com/cloudflare/workers-sdk/pull/9608) to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare has been published as `create-cloudflare@2.49.3`. | ||
|
|
||
| In addition to the automatic mitigation deployed on Cloudflare's platform, we encourage affected users to upgrade to `@opennext/cloudflare` v1.3.0 and use the [`remotePatterns`](https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns) filter in Next config if they need to allow-list external urls with images assets. |
There was a problem hiding this comment.
same comment here for automatic?
|
Preview URL: https://cd4b3b59.preview.developers.cloudflare.com Files with changes (up to 15) |
| @@ -0,0 +1,33 @@ | |||
| --- | |||
| title: SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint | |||
There was a problem hiding this comment.
if the changelog entry should reflect the changes put in place, more than just a notification that a vuln was identified, perhaps:
| title: SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint | |
| title: Mitigation for SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint |
| @@ -0,0 +1,33 @@ | |||
| --- | |||
| title: SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint | |||
| description: A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, which has been automatically mitigated for all existing deployments. | |||
There was a problem hiding this comment.
maybe more emphasis on the mitigation than the vuln?
| description: A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, which has been automatically mitigated for all existing deployments. | |
| description: Mitigations have been put in place for all existing and future deployments of sites with the Cloudflare adapter for Open Next in response to an identified Server-Side Request Forgery (SSRF) vulnerability in the @opennextjs/cloudflare package |
| @@ -0,0 +1,33 @@ | |||
| --- | |||
| title: SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint | |||
There was a problem hiding this comment.
+1
| title: SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint | |
| title: SSRF vulnerability in @opennextjs/cloudflare proactively mitigated for all Cloudflare customers |
|
|
||
| The following mitigations have been put in place: | ||
|
|
||
| **Server side updates** to Cloudflare's platform to restrict the content loaded via the `/_next/image` endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next |
There was a problem hiding this comment.
Suggest referencing this more directly in first 2-3 sentences
|
Nit: Please try and name changelog PRs after what the feature is vs. "next change log." It makes it a lot harder to know what this is for otherwise. |
Co-authored-by: Brendan Irvine-Broque <birvine-broque@cloudflare.com>
Apologies, I could've been more clear. This is a branch for a changelog relating to the "Open Next" adapter |
penalosa
changed the title
@opennextjs/cloudflare
…lare#23068) * Open next changelog * Update src/content/changelog/workers/2025-06-17-open-next-ssrf.mdx Co-authored-by: Brendan Irvine-Broque <birvine-broque@cloudflare.com> * updates * updates --------- Co-authored-by: ANT Bot <116369605+workers-devprod@users.noreply.github.com> Co-authored-by: Brendan Irvine-Broque <birvine-broque@cloudflare.com>
Summary
Screenshots (optional)
Documentation checklist