CVE-2026-3125

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-3125
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3125.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-3125
Aliases
Published
2026-03-04T19:16:19.730Z
Modified
2026-04-02T13:23:55.351401Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare's edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs.

For example:

https://victim-site.com/cdn-cgi\image/aaaa/https://attacker.com

In this example, attacker-controlled content from attacker.com is served through the victim site's domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.

Note: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests.

Additionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/nextcache, which could be exposed via this bypass.

References

Affected packages

Git / github.com/opennextjs/opennextjs-cloudflare

Affected ranges

Type
GIT
Repo
https://github.com/opennextjs/opennextjs-cloudflare
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
206794f1341023294147e7ef0b09146b7c7caaeb
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.17.1"
        }
    ]
}

Affected versions

@opennextjs/cloudflare@0.*
@opennextjs/cloudflare@0.0.3
@opennextjs/cloudflare@0.1.0
@opennextjs/cloudflare@0.1.1
@opennextjs/cloudflare@0.2.0
@opennextjs/cloudflare@0.2.1
@opennextjs/cloudflare@0.3.0
@opennextjs/cloudflare@0.3.1
@opennextjs/cloudflare@0.3.10
@opennextjs/cloudflare@0.3.2
@opennextjs/cloudflare@0.3.3
@opennextjs/cloudflare@0.3.4
@opennextjs/cloudflare@0.3.5
@opennextjs/cloudflare@0.3.6
@opennextjs/cloudflare@0.3.7
@opennextjs/cloudflare@0.3.8
@opennextjs/cloudflare@0.3.9
@opennextjs/cloudflare@0.4.0
@opennextjs/cloudflare@0.4.1
@opennextjs/cloudflare@0.4.2
@opennextjs/cloudflare@0.4.3
@opennextjs/cloudflare@0.4.4
@opennextjs/cloudflare@0.4.5
@opennextjs/cloudflare@0.4.6
@opennextjs/cloudflare@0.4.7
@opennextjs/cloudflare@0.4.8
@opennextjs/cloudflare@0.5.0
@opennextjs/cloudflare@0.5.1
@opennextjs/cloudflare@0.5.10
@opennextjs/cloudflare@0.5.11
@opennextjs/cloudflare@0.5.12
@opennextjs/cloudflare@0.5.2
@opennextjs/cloudflare@0.5.3
@opennextjs/cloudflare@0.5.4
@opennextjs/cloudflare@0.5.5
@opennextjs/cloudflare@0.5.6
@opennextjs/cloudflare@0.5.7
@opennextjs/cloudflare@0.5.8
@opennextjs/cloudflare@0.5.9
@opennextjs/cloudflare@0.6.0
@opennextjs/cloudflare@0.6.1
@opennextjs/cloudflare@0.6.2
@opennextjs/cloudflare@0.6.3
@opennextjs/cloudflare@0.6.4
@opennextjs/cloudflare@0.6.5
@opennextjs/cloudflare@0.6.6
@opennextjs/cloudflare@1.*
@opennextjs/cloudflare@1.0.0
@opennextjs/cloudflare@1.0.0-beta.0
@opennextjs/cloudflare@1.0.0-beta.1
@opennextjs/cloudflare@1.0.0-beta.2
@opennextjs/cloudflare@1.0.0-beta.3
@opennextjs/cloudflare@1.0.0-beta.4
@opennextjs/cloudflare@1.0.1
@opennextjs/cloudflare@1.0.2
@opennextjs/cloudflare@1.0.3
@opennextjs/cloudflare@1.0.4
@opennextjs/cloudflare@1.1.0
@opennextjs/cloudflare@1.10.0
@opennextjs/cloudflare@1.10.1
@opennextjs/cloudflare@1.11.0
@opennextjs/cloudflare@1.11.1
@opennextjs/cloudflare@1.12.0
@opennextjs/cloudflare@1.13.0
@opennextjs/cloudflare@1.13.1
@opennextjs/cloudflare@1.14.0
@opennextjs/cloudflare@1.14.1
@opennextjs/cloudflare@1.14.10
@opennextjs/cloudflare@1.14.2
@opennextjs/cloudflare@1.14.3
@opennextjs/cloudflare@1.14.4
@opennextjs/cloudflare@1.14.5
@opennextjs/cloudflare@1.14.6
@opennextjs/cloudflare@1.14.7
@opennextjs/cloudflare@1.14.8
@opennextjs/cloudflare@1.14.9
@opennextjs/cloudflare@1.15.0
@opennextjs/cloudflare@1.15.1
@opennextjs/cloudflare@1.16.0
@opennextjs/cloudflare@1.16.1
@opennextjs/cloudflare@1.16.2
@opennextjs/cloudflare@1.16.3
@opennextjs/cloudflare@1.16.4
@opennextjs/cloudflare@1.16.5
@opennextjs/cloudflare@1.16.6
@opennextjs/cloudflare@1.17.0
@opennextjs/cloudflare@1.2.0
@opennextjs/cloudflare@1.2.1
@opennextjs/cloudflare@1.3.0
@opennextjs/cloudflare@1.3.1
@opennextjs/cloudflare@1.4.0
@opennextjs/cloudflare@1.5.0
@opennextjs/cloudflare@1.5.1
@opennextjs/cloudflare@1.5.2
@opennextjs/cloudflare@1.5.3
@opennextjs/cloudflare@1.6.0
@opennextjs/cloudflare@1.6.1
@opennextjs/cloudflare@1.6.2
@opennextjs/cloudflare@1.6.3
@opennextjs/cloudflare@1.6.4
@opennextjs/cloudflare@1.6.5
@opennextjs/cloudflare@1.7.0
@opennextjs/cloudflare@1.7.1
@opennextjs/cloudflare@1.8.0
@opennextjs/cloudflare@1.8.1
@opennextjs/cloudflare@1.8.2
@opennextjs/cloudflare@1.8.3
@opennextjs/cloudflare@1.8.4
@opennextjs/cloudflare@1.8.5
@opennextjs/cloudflare@1.9.0
@opennextjs/cloudflare@1.9.1
@opennextjs/cloudflare@1.9.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3125.json"