chore(deps): update dependency @opennextjs/cloudflare to v1.17.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@opennextjs/cloudflare (source)	1.14.10 → 1.17.1

GitHub Vulnerability Alerts

CVE-2026-3125

A Server-Side Request Forgery (SSRF) vulnerability was identified in the @​opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.

The @​opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare's edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs.

For example: https://victim-site.com/cdn-cgi\image/aaaa/https://attacker.com

In this example, attacker-controlled content from attacker.com is served through the victim site's domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.

Note: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests.

Additionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.

Impact

• SSRF via path normalization bypass of Cloudflare edge interception
• Arbitrary remote content loading under the victim site's domain
• Same-origin policy bypass
• Potential for infrastructure abuse (scanning from Cloudflare IP space, worker resource exhaustion)
• Exposure of private assets stored under /cdn-cgi/ paths. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.

Credits

Disclosed responsibly by security researcher @​Ezzer17.

Mitigations

The following mitigations have been put in place:

Server-side updates to Cloudflare's Workers platform to block backslash path normalization bypasses for /cdn-cgi requests. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare Workers.

In addition to the platform level fix, Root cause fix has been implemented to the Cloudflare adapter for Open Next. The patched version of the adapter is found at @​opennextjs/cloudflare@1.17.1 (https://www.npmjs.com/package/@​opennextjs/cloudflare)

Dependency update to the Next.js template used with create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. Despite the automatic mitigation deployed on Cloudflare's platform, we encourage affected users to upgrade to the patched version of @​opennextjs/cloudflare.

---

Release Notes

opennextjs/opennextjs-cloudflare (@​opennextjs/cloudflare)

v1.17.1

Compare Source

Patch Changes

• #​1147 f5bd138 Thanks @​vicb! - make dev /cdn-cgi/image behaves like prod for consistency

v1.17.0

Compare Source

Minor Changes

• #​1133 25d5835 Thanks @​dario-piotrowicz! - Update the migrate command to attempt to create an R2 bucket for caching, if that is not possible an application without caching enabled will be generated instead.

v1.16.6

Compare Source

Patch Changes

• #​1138 4487f1f Thanks @​james-elicx! - Fix the CLI potentially setting a future compatibility date in the wrangler config when workerd has published a version matching a future date, by capping to the current date.

v1.16.5

Compare Source

Patch Changes

• #​1127 2b437f1 Thanks @​dario-piotrowicz! - In the migrate command, add an initial step to create a Next.js config file (required by open-next) if it doesn't exist

• #​1126 8c3a36e Thanks @​alex-all3dp! - fix: prevent Worker hang on HEAD requests to static assets

v1.16.4

Compare Source

Patch Changes

• #​1122 6c94a4a Thanks @​dario-piotrowicz! - In migrate command, avoid adding unnecessary newlines when creating files

• #​1122 6c94a4a Thanks @​dario-piotrowicz! - fix migrate command incorrectly erroring if the target application doesn't have a public directory

• #​1122 6c94a4a Thanks @​dario-piotrowicz! - Bump @opennextjs/aws to 3.9.16

  • Fix migrate command not updating Next.js config files
  • Fixes #​1062, #​1115

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.16

• #​1097 fea645f Thanks @​dario-piotrowicz! - Add --help and --version to the opennextjs-cloudflare CLI

  Improve the opennextjs-cloudflare CLI by:

  • ensuring that unknown commands (e.g., opennextjs-cloudflare foo) display a clear and helpful error message
  • adding a -h|--help flag to display the CLI's help message
  • adding a -v|--version flag to display the package's version

v1.16.3

Compare Source

Patch Changes

• #​1113 09c41f1 Thanks @​anonrig! - bump @opennextjs/aws to 3.9.15

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.15

v1.16.2

Compare Source

Patch Changes

• #​1105 e6938a0 Thanks @​vicb! - allow using a regional cache with KV

v1.16.1

Compare Source

Patch Changes

• #​1100 8676c78 Thanks @​vicb! - Empty NextNodeServer#handleNextImageRequest to avoid pulling unneeded deps (in #​1098)

v1.16.0

Compare Source

Minor Changes

• #​1083 b062597 Thanks @​dario-piotrowicz! - feature: add migrate command to set up OpenNext for Cloudflare adapter

  This command helps users migrate existing Next.js applications to the OpenNext Cloudflare adapter by automatically setting up all necessary configuration files, dependencies, and scripts.

  To use the command simply run: npx opennextjs-cloudflare migrate

Patch Changes

• #​1092 4279043 Thanks @​vicb! - Check for supported Next version

  The build will now error for unsupported Next version which may contain unpatched security vulnerabilities.
  You can bypass the check using the --dangerouslyUseUnsupportedNextVersion flag.

v1.15.1

Compare Source

Patch Changes

• #​1085 74302ec Thanks @​vicb! - fix the detection of the runtime (webpack vs turbopack)

v1.15.0

Compare Source

Minor Changes

• #​1081 ae3d43d Thanks @​vicb! - Next 16 is now supported

Patch Changes

• #​1076 c99eefd Thanks @​vicb! - fix: do not bundle og when not used

  This saves ~500kB when og is not used

• #​1079 6ac789a Thanks @​vicb! - fix: use the correct runtime (i.e. webpack or turbopack)

• #​1078 249f738 Thanks @​vicb! - drop unused react-dom modules

  This saves ~500kB on the output bundle

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Version Preview URL: https://5e38a4d3-dreamvision.nemolize.workers.dev