NTL DEPLOY: Try the new AI workflow →

Posts tagged "Security"

Subscribe to feed

  • Security Update: Multiple vulnerabilities in Next.js

    August 30, 2025

    We are aware of recently disclosed vulnerabilities affecting Next.js applications:

    1. CVE-2025-55173: Next.js Image Optimization – Arbitrary File Download
    2. CVE-2025-57822: Next.js Middleware – SSRF via Misuse of next()
    3. CVE-2025-57752: Next.js Image Optimization – Cache Poisoning / Unauthorized Disclosure

    As a security precaution, we recommend upgrading to the latest versions of Next.js and enabling automatic updates of the OpenNext Netlify Next.js adapter.

    The engineering team at Netlify has reviewed these and determined the following impact on Netlify sites: *

    1. CVE-2025-55173: Next.js Image Optimization – Arbitrary File Download

    Sites on Netlify are not vulnerable.

    Next.js sites on Netlify use Netlify’s Image CDN instead of the affected built-in Next.js Image Optimization feature. Furthermore, Netlify Image CDN strips Content-Disposition headers, which is required for successful exploitation of this vulnerability. With this header removed it is not possible to force a file download or override the filename, even in case of a mismatch between the requested image type and the source file type.

    1. CVE-2025-57822: Next.js Middleware – SSRF via Misuse of next()

    Sites on Netlify are not vulnerable.

    Our OpenNext adapter uses Edge Functions to run middleware and relies on the context.next() API as the underlying implementation of NextResponse.next() calls, passing the original request URL and preventing this attack vector.

    1. CVE-2025-57752: Next.js Image Optimization – Cache Poisoning / Unauthorized Disclosure

    Next.js sites on Netlify are potentially vulnerable, if the sites use the next/image component to fetch images from a source that uses headers to conditionally serve images.

    Next.js sites using the next/image component will automatically opt into Netlify’s Image CDN which, by design, will automatically cache the source assets on Netlify’s Edge Cache. This means that a source image that is served behind an authorization header will get cached on the Netlify Edge Cache in order to improve performance. Upgrading to the newest version of Next.js will not change this behavior.

    If your Next.js site serves images from a protected source, we advise you to not use the next/image component so that you have full control over the caching and authorization strategies required for your use-case.

    We are working continually with the Next.js team and are committed to making your sites secure on Netlify.

  • Security Update: Next.js sites on Netlify not vulnerable to CVE-2025-32421

    May 15, 2025

    The Next.js team recently disclosed CVE-2025-32421, a low-severity vulnerability allowing for CDN cache poisoning in some scenarios.

    The engineering team at Netlify has confirmed that all Next.js sites on Netlify are not vulnerable. The vulnerability requires use of a CDN that may cache responses without explicit Cache-Control headers, but Netlify’s CDN never does so.

    As a general security precaution, we recommend upgrading to the latest versions of the Next.js framework and allowing automatic updates of the OpenNext Netlify Next.js adapter.

  • Security Update: React Router and Remix Vulnerabilities

    April 27, 2025

    We are aware of recently disclosed vulnerabilities affecting React Router and Remix:

    1. CVE 2025-31137 (React Router 7 and Remix): Spoof request path allowing certain access control bypasses
    2. CVE-2025-43864 (React Router 7 only): Cache poisoning leading to unusable responses
    3. CVE-2025-43865 (React Router 7 only): Cache poisoning with arbitrary data

    Impact on Netlify sites:

    • CVE 2025-31137: Sites on Netlify are not vulnerable, because the Netlify CDN cache varies on the query string by default, and Remix and React Router sites on Netlify do not use the impacted Express package.
    • CVE-2025-43864: Sites on Netlify using React Router 7.2.0 to 7.5.1 were vulnerable until 04/27 3:00 UTC. However, exploitation requires all of the following conditions for a given URL to be poisonable:
      • The site must not be using React Router’s SPA mode.
      • The page or loader must be explicitly setting caching headers.
      • A malicious request would need to be the first request to reach the cache (such as immediately after a deploy or cache invalidation).
    • CVE-2025-43865: Sites on Netlify using React Router 7.0.0 to 7.5.1 were vulnerable until 04/27 3:00 UTC. However, exploitation requires all of the following conditions for a given URL to be poisonable:
      • The page or loader must be explicitly setting caching headers.
      • A malicious request would need to be the first request to reach the cache (such as immediately after a deploy or cache invalidation).

    We strongly recommend upgrading to the latest versions of React Router (7.5.2).

    Given these specific requirements, the number of vulnerable Netlify sites is low. However, out of an abundance of caution, our engineering team is actively rolling out a mitigation to further protect against these vulnerabilities. We will continue to monitor the situation and will provide updates as our work progresses.

    Update: As of 2025-04-27 3:00 AM UTC, a mitigation has been rolled out to the Netlify CDN for all vulnerable sites.