Vulnerability in sonicjs project

While working on sonicjs project, I discovered a vulnerability in the @opennextjs/cloudflare package [(CVE-2026-3125)](https://vulert.com/vuln-db/CVE-2026-3125). The issue is caused by a path normalization bypass in the /cdn-cgi/image handler. By using a backslash (\) instead of a forward slash (/) in the request path, an attacker can bypass Cloudflare edge interception and make the Worker fetch arbitrary remote URLs. 

[CVE Link](https://vulert.com/vuln-db/CVE-2026-3125)
[CVE Report](https://vulert.com/vuln-scan/list/e4681b4e-928c-4af5-b5a8-ab89b64590de?sort_order=desc&sort_by=created_at)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Vulnerability in sonicjs project #683

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Vulnerability in sonicjs project #683

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions