Nextjs app compromised even with cf acess enabld
Hey,
I’m trying to understand a recent security incident and would appreciate any help
I had a Next.js app using the app router running on a server which had the vulnreble next.js version with CVE-2025-66478, bound to 127.0.0.1, not exposed publicly. I also had Cloudflare Zero Trust enabled on the domain (tools.jbz.dev), with rules that block everyone except me. . I would assume though that cloudflare zero trust access would redirect any request back to the auth page but multiple requests still managed to reach the server.
The Next.js app and the backend which was quart was bound to localhost so I doubt it would be the server ip that was accessed instead of the actual url it was hosted on.
Cloudflare Zero Trust was active, so public requests should not reach the app.
im so confused on how this happened
I’m trying to understand a recent security incident and would appreciate any help
I had a Next.js app using the app router running on a server which had the vulnreble next.js version with CVE-2025-66478, bound to 127.0.0.1, not exposed publicly. I also had Cloudflare Zero Trust enabled on the domain (tools.jbz.dev), with rules that block everyone except me. . I would assume though that cloudflare zero trust access would redirect any request back to the auth page but multiple requests still managed to reach the server.
The Next.js app and the backend which was quart was bound to localhost so I doubt it would be the server ip that was accessed instead of the actual url it was hosted on.
Cloudflare Zero Trust was active, so public requests should not reach the app.
im so confused on how this happened
logs.txt58.38KB
