Jump to content
  • Critical flaw in Next.js lets hackers bypass authorization


    Karlston

    • 158 views
    • 3 minutes
     Share


    • 158 views
    • 3 minutes

    A critical severity vulnerability has been discovered in the Next.js open-source web development framework, potentially allowing attackers to bypass authorization checks.

     

    The flaw, tracked as CVE-2025-29927, enables attackers to send requests that reach destination paths without going through critical security checks.

     

    Next.js is a popular React framework with more than 9 million weekly downloads on npm. It is used for building full-stack web apps and includes middleware components for authentication and authorization.

     

    Front-end and full-stack developers use it to build web apps with React. Some of the more notable companies using it for their sites/apps are TikTok, Twitch, Hulu, Netflix, Uber, and Nike.

    Authorization bypass

    In Next.js, middleware components run before a request hits an application routing system and serve purposes like authentication, authorization, logging, error handling, redirecting users, applying geo-blocking or rate limits.

     

    To prevent infinite loops where middleware re-triggers itself, Next.js uses a header called 'x-middleware-subrequest' that dictates if middleware functions should be applied or not.

     

    The header is retrieved by the 'runMiddleware' function responsible for processing incoming requests. If it detects the 'x-middleware-subrequest' header, with a specific value, the entire middleware execution chain is bypassed and the request is forwarded to its destination.

     

    An attacker can manually send a request that includes the header with a correct value and thus bypass protection mechanisms.

     

    According to researchers Allam Rachid and Allam Yasser (inzo_), who discovered the vulnerability and published a technical write-up, "the header and its value act as a universal key allowing rules to be overridden."

     

    The vulnerability impacts all Next.js versions before 15.2.3, 14.2.25, 13.5.9. and 12.3.5. Users are recommended to upgrade to newer revisions as soon as possible, since technical details for exploiting the security issue are public.

     

    Next.js' security bulletin clarifies that CVE-2025-29927 impacts only self-hosted versions that use 'next start' with 'output: standalone'. Next.js apps apps hosted on Vercel and Nerlify, or deployed as static exports, are not affected.

     

    Also affected are environments where middleware is used for authorization or security checks and there is no validation later in the application.

     

    If patching is not possible at the time, the recommendation is to block external user requests that include the 'x-middleware-subrequest header'.

     

    Source


    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every day for many years.

    News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

    RIP Matrix | Farewell my friend  :sadbye:


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...