pull down to refresh

Critical Next.js Vulnerability Allows Attackers Bypass Middleware Authorizationthehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html
204 sats \ 2 comments \ @ch0k1 16h security
A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.
The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0.
"Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops," Next.js said in an advisory.
"It was possible to skip running middleware, which could allow requests to skip critical checks—such as authorization cookie validation—before reaching routes."
It's worth noting that CVE-2025-29927 impacts only self-hosted versions that use "next start" with "output: standalone." Next.js apps hosted on Vercel and Netlify, or deployed as static exports, are not affected.
write
preview
related posts
21 sats \ 1 reply \ @ek 16h
wow, that sounds bad 👀
making sure we aren't affected
update: we updated to v14.2.25 a few days ago but I think we wouldn't have been affected anyway.
reply
0 sats \ 0 replies \ @ch0k1 OP 15h
Happy to inform and give context for thought about SN security
reply