Link to heading Summary A vulnerability affecting Next.js Middleware has been addressed. It impacted versions prior to v14.2.32 and v15.4.7 , and involved a Server-Side Request Forgery (SSRF) risk introduced by misconfigured usage of the NextResponse.next() function within middleware. Applications that reflected a user's request headers in this function, rather than passing them through the request object, could unintentionally allow the server to issue requests to attacker-controlled destinations. A patch applied on August 25th, 2025 eliminated exposure for Vercel customers running the affected versions.…