Skip to content

Block requests vulnerable to opennext vulnerability#9635

Merged
CarmenPopoviciu merged 1 commit intomainfrom
matthewrodgers/opennext-image-vuln
Jun 18, 2025
Merged

Block requests vulnerable to opennext vulnerability#9635
CarmenPopoviciu merged 1 commit intomainfrom
matthewrodgers/opennext-image-vuln

Conversation

@matthewdavidrodgers
Copy link
Contributor

@matthewdavidrodgers matthewdavidrodgers commented Jun 17, 2025
edited by lrapoport-cf
Loading

Addresses GHSA-rvpw-p7vw-wj3m

This has already been applied in production, this commit keeps the repository in sync.

Images loaded via the /_next/image?url= were vulnerable to SSRF, and particularly if the user loaded the image in a new tab (instead of forcing the browser to treat it as an image). Thus, if request didn't indicate that the browser was going to treat the resource as an image (via the 'Sec-Fetch-Dest: image' header), we block the request when it doesn't return image content.

Fixes WC-3704.

  • Tests
    • TODO (before merge)
    • Tests included
    • Tests not necessary because:
  • Wrangler / Vite E2E Tests CI Job required? (Use "e2e" label or ask maintainer to run separately)
    • I don't know
    • Required
    • Not required because: limited to router worker
  • Public documentation
    • TODO (before merge)
    • Cloudflare docs PR(s):
    • Documentation not necessary because: not public behavior
  • Wrangler V3 Backport
    • TODO (before merge)
    • Wrangler PR:
    • Not necessary because: not a wrangler change

@matthewdavidrodgers matthewdavidrodgers requested review from a team as code owners June 17, 2025 16:15
@changeset-bot
Copy link

changeset-bot bot commented Jun 17, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 0a5749a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@cloudflare/workers-shared Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation bot moved this to Untriaged in workers-sdk Jun 17, 2025
@pkg-pr-new
Copy link

pkg-pr-new bot commented Jun 17, 2025
edited
Loading

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@9635

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@9635

miniflare

npm i https://pkg.pr.new/miniflare@9635

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@9635

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@9635

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@9635

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@9635

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@9635

wrangler

npm i https://pkg.pr.new/wrangler@9635

commit: 35fc2e6

@matthewdavidrodgers matthewdavidrodgers force-pushed the matthewrodgers/opennext-image-vuln branch from 6128ffb to 6bc0688 Compare June 17, 2025 16:18
@matthewdavidrodgers matthewdavidrodgers self-assigned this Jun 17, 2025
@CarmenPopoviciu
Copy link
Contributor

CarmenPopoviciu commented Jun 18, 2025

@matthewdavidrodgers could we please get a review from D&C 🙏 ?

petebacondarwin
petebacondarwin approved these changes Jun 18, 2025
View reviewed changes
Copy link
Contributor

@petebacondarwin petebacondarwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's land this since it is already in production.

@github-project-automation github-project-automation bot moved this from Untriaged to Approved in workers-sdk Jun 18, 2025
@matthewdavidrodgers matthewdavidrodgers force-pushed the matthewrodgers/opennext-image-vuln branch from 6bc0688 to 0a5749a Compare June 18, 2025 16:29
@matthewdavidrodgers
Block requests vulnerable to opennext vulnerability
35fc2e6 
Addresses GHSA-rvpw-p7vw-wj3m

This has already been applied in production, this commit keeps the
repository in sync.

Images loaded via the /_next/image?url=<some remote image> were
vulnerable to SSRF, and particularly if the user loaded the image in a
new tab (instead of forcing the browser to treat it as an image). Thus,
if request didn't indicate that the browser was going to treat the
resource as an image (via the 'Sec-Fetch-Dest: image' header), we block
the request when it doesn't return image content.
@matthewdavidrodgers matthewdavidrodgers force-pushed the matthewrodgers/opennext-image-vuln branch from 0a5749a to 35fc2e6 Compare June 18, 2025 16:31
@CarmenPopoviciu CarmenPopoviciu merged commit b066cf8 into main Jun 18, 2025
19 checks passed
@CarmenPopoviciu CarmenPopoviciu deleted the matthewrodgers/opennext-image-vuln branch June 18, 2025 16:58
@github-project-automation github-project-automation bot moved this from Approved to Done in workers-sdk Jun 18, 2025
@workers-devprod workers-devprod mentioned this pull request Jun 18, 2025
Merged
jseba added a commit to jseba/workers-sdk that referenced this pull request Jun 18, 2025
@jseba
Merge branch 'main' of ssh://github.com/cloudflare/workers-sdk into j…
d4f7f8b 
…seba/containers_scope

* 'main' of ssh://github.com/cloudflare/workers-sdk: (31 commits)
  Refactor preview mode and ensure compatibility with Vite 7 (cloudflare#9647)
  Block requests vulnerable to opennext vulnerability (cloudflare#9635)
  Add test for cloudchamber buildAndMaybePush (cloudflare#9638)
  chore: remove redundant binding guide superseded by internal docs (cloudflare#9648)
  add changeset to trigger release of workers/pages projects (cloudflare#9649)
  Add @handler to Python templates. (cloudflare#9305)
  Migrate from unbuild to obuild (cloudflare#9243)
  Version Packages (cloudflare#9650)
  fix changeset (cloudflare#9651)
  containers: Default scheduling policy should be the default (cloudflare#9621)
  Rename Mixed Mode to remote proxy/remote bindings depending on context (cloudflare#9586)
  Version Packages (cloudflare#9632)
  Correctly mock out getDockerImageDigest for testing buildAndMaybePush (cloudflare#9636)
  [C3] Bump create-remix from 2.16.6 to 2.16.8 in /packages/create-cloudflare/src/frameworks (cloudflare#9525)
  Remove "Cloudchamber" from user facing error messages (cloudflare#9628)
  sync local containers with latest workerd (cloudflare#9576)
  Bump the workerd-and-workers-types group with 2 updates (cloudflare#9591)
  [C3] Bump gatsby from 5.14.3 to 5.14.4 in /packages/create-cloudflare/src/frameworks (cloudflare#9524)
  [C3] Bump create-react-router from 7.6.1 to 7.6.2 in /packages/create-cloudflare/src/frameworks (cloudflare#9526)
  [C3] Bump create-docusaurus from 3.8.0 to 3.8.1 in /packages/create-cloudflare/src/frameworks (cloudflare#9527)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@petebacondarwin petebacondarwin petebacondarwin approved these changes

@penalosa penalosa Awaiting requested review from penalosa

@WalshyDev WalshyDev Awaiting requested review from WalshyDev

Assignees

@matthewdavidrodgers matthewdavidrodgers

Labels

None yet

Projects

workers-sdk
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@matthewdavidrodgers @CarmenPopoviciu @petebacondarwin