SFBA Moderators @moderators

0 posts0 participants0 posts today

**Olly** @Olly42@nerdculture.de · Mar 27

Critical Flaw in Next.js lets Attackers bypass Authorization.

A recent collaborative effort by researchers Rachid Allam and Yasser Allam has exposed a critical vulnerability within the Next.js framework, a widely used JavaScript framework based on React with nearly 10 million weekly downloads.

https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

Their research, documented in a detailed publication, reveals a flaw in the Next.js middleware that allows for unauthorized access and control, impacting all versions of the framework. This flaw, designated CVE-2025-29927 and rated as critical.

<https://nvd.nist.gov/vuln/detail/CVE-2025-29927>

Reportedly, the vulnerability specifically targets the middleware function, which is a component designed to execute code before a request is completed and is frequently used for crucial security functions, including authentication and authorization. However, the discovered vulnerability allows attackers to bypass these security measures.

The core of the vulnerability lies in the handling of the “x-middleware-subrequest” header. By manipulating this header with a specific value, attackers can effectively ignore the middleware’s intended rules, gaining unauthorized access. As Allam explained, “The header and its value act as a universal key allowing rules to be overridden.”

[ImageSource: zhero-web-sec]

The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0.

"Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops," Next.js said in an advisory. "It was possible to skip running middleware, which could allow requests to skip critical checks [such as authorization cookie validation] before reaching routes."

<https://nextjs.org/blog/cve-2025-29927>

The shortcoming has been addressed in versions 12.3.5, 13.5.9, 14.2.25 and 15.2.3. If patching is not an option, it's recommended that users prevent external user requests that contain the x-middleware-subrequest header from reaching the Next.js application.

⚠️The company also said any host website that utilizes middleware to authorize users without any additional authorization checks is vulnerable to CVE-2025-29927, potentially enabling attackers to access otherwise unauthorized resources (e.g., admin pages).⚠️

#nextjs #middleware #it

**Markus Eisele** @myfear@mastodon.online · Mar 24

Mar 24

Markus Eisele @myfear@mastodon.online

Red Hat Middleware moving to IBM http://markclittle.blogspot.com/2025/03/red-hat-middleware-moving-to-ibm.html by @nmcl
#redhat #ibm #middleware

markclittle.blogspot.comRed Hat Middleware moving to IBMIt's been a while since I wrote anything on my blog. I'm not even sure if blogging is a thing anymore! Maybe I should be recording a short T...

**𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕** @kubikpixel@chaos.social · Mar 24

Mar 24

𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕 @kubikpixel@chaos.social

»Critical Next.js Middleware Vulnerability Allows Attackers to Bypass Authorization:
A severe vulnerability has been identified in Next.js, a popular React framework used for building web applications, under the designation CVE-2025-29927.«

Well, I have to give it up and look at it.

https://gbhackers.com/critical-next-js-middleware-vulnerability/

GBHackers Security | #1 Globally Trusted Cyber Security News Platform · Mar 24Critical Next.js Middleware Vulnerability Allows Attackers to Bypass AuthorizationA severe vulnerability has been identified in Next.js, a popular React framework used for building web applications, under the designation CVE-2025-29927.

#javascript #nextjs #webdev

**Suzanne Aldrich (she/her)** @suzannealdrich@hachyderm.io · Mar 23

Mar 23

Suzanne Aldrich (she/her) @suzannealdrich@hachyderm.io

Critical Next.js Middleware Vulnerability (CVE-2025-29927)

A major auth bypass vulnerability in Next.js middleware (prior to v14.2.25 / v15.2.3) allows attackers to inject the x-middleware-subrequest header and bypass authorization entirely. Exploitable via simple HTTP requests—no user interaction, no special permissions.

Patch. Now. Or block the header manually.

GitHub scored this 9.1 CRITICAL, but the real issue? This flaw exposes a systemic weakness in middleware validation, and some vendors weren’t exactly upfront about the risks.

Details + POC: https://zeropath.com/blog/nextjs-middleware-cve-2025-29927-auth-bypass
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29927

Security theater is easy. Secure defaults and transparency are harder—but essential.

zeropath.comNext.js Middleware Exploit: CVE-2025-29927 Authorization Bypass - ZeroPath BlogExplore the critical CVE-2025-29927 vulnerability in Next.js middleware, enabling attackers to bypass authorization checks and gain unauthorized access.

#infosec #AppSec #NextJS

**LavX News** @lavxnews@mastodon.cloud · Mar 18

Mar 18

LavX News @lavxnews@mastodon.cloud

Unlocking the Power of Functional Programming: Lessons in Simplicity and Composition

In a world dominated by imperative programming, functional programming offers a refreshing perspective on code architecture and composition. This article explores the fundamental concepts of Haskell a...

https://news.lavx.hu/article/unlocking-the-power-of-functional-programming-lessons-in-simplicity-and-composition