Question: NextResponse.next() usage in middleware vs recent Next.js SSRF advisory #561
Description
Hi team,
While reviewing the middleware in the Medusa Next.js Storefront Starter, I noticed that it uses NextResponse.next() without explicitly passing the request object.
Recently, Next.js published a security advisory related to middleware usage and NextResponse.next(), particularly in self-hosted environments with custom middleware logic:
https://vercel.com/changelog/cve-2025-57822
https://github.com/advisories/GHSA-4342-x723-ch2f
The advisory recommends verifying correct usage of next() and generally shows examples using:
return NextResponse.next({ request })
From what I understand, the issue mainly affects cases where request headers are forwarded or reflected, which may not apply to the current Medusa middleware. Still, I wanted to ask for your perspective.
My questions:
Do you consider the current NextResponse.next() usage in the storefront starter safe as-is?
In light of the advisory, would you recommend updating this to NextResponse.next({ request }), or is it unnecessary in this case?
Are there any specific reasons for keeping the current pattern?
I’m mostly looking for guidance on whether action is needed for projects based on the starter, especially in self-hosted or reverse-proxy setups.
Thanks in advance for your insight.