CVE-2026-3125
Received Received - Intake
SSRF and Data Exposure via Path Normalization Bypass in @opennextjs/cloudflare

Publication date: 2026-03-04

Last updated on: 2026-03-09

Assigner: Cloudflare, Inc.

Description
A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare's edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs. For example: https://victim-site.com/cdn-cgi\image/aaaa/https://attacker.com In this example, attacker-controlled content from attacker.com is served through the victim site's domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services. Note: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests. Additionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi\... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3125
EUVD
EUVD-2026-9474
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opennextjs opennext_for_cloudflare to 1.17.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3125 is a Server-Side Request Forgery (SSRF) vulnerability in the @opennextjs/cloudflare package caused by a path normalization bypass in the /cdn-cgi/image/ handler. The vulnerability arises because the worker template includes this handler for development only, and in production, Cloudflare's edge normally intercepts these requests. However, by replacing a forward slash with a backslash in the URL path (e.g., /cdn-cgi\image/ instead of /cdn-cgi/image/), an attacker can bypass this interception and have the request reach the Worker directly.

The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs. This allows attacker-controlled content to be served through the victim site's domain, violating the same-origin policy and potentially misleading users or services.

Additionally, this bypass can expose private assets stored under /cdn-cgi/ paths, which are normally not publicly accessible, by making them accessible through the backslash bypass. This could lead to exposure of private data such as incremental cache data stored by Open Next projects.

Impact Analysis

This vulnerability can impact you by allowing attackers to serve arbitrary remote content through your domain, violating the same-origin policy. This can mislead users or services into trusting malicious content as if it originated from your site.

It also enables attackers to access private assets stored under normally protected paths by exploiting the backslash bypass, potentially exposing sensitive or private data.

Overall, the impacts include phishing risks, exposure of internal or private resources, and abuse of your domain to proxy malicious content.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by testing whether requests with backslashes in the path bypass Cloudflare's edge interception and reach the Worker directly. For example, sending a request to a URL like https://victim-site.com/cdn-cgi\image/ and observing if the Worker processes it can indicate the presence of the vulnerability.

Since browsers normalize backslashes to forward slashes, detection requires using HTTP clients that preserve backslashes in paths, such as curl with the --path-as-is option.

A sample command to test this behavior is:

  • curl --path-as-is -v https://victim-site.com/cdn-cgi\image/aaaa/https://attacker.com

If the response includes content fetched from the attacker-controlled URL, it confirms the SSRF vulnerability via path normalization bypass.

Mitigation Strategies

Immediate mitigation steps include upgrading the @opennextjs/cloudflare package to version 1.3.0 or later, where the vulnerability has been fixed.

Additionally, use the remotePatterns filter in the Next.js configuration to allow-list external image URLs securely, preventing arbitrary remote URL loading.

Ensure that Cloudflare Workers and Cloudflare Pages are updated to restrict access to /cdn-cgi/ paths and prevent the backslash bypass.

If upgrading immediately is not possible, consider implementing server-side validation to reject requests containing backslashes in the path or normalize paths before processing.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3125. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart