Tasiri
Mai kai hari zai iya ƙetare dabarun tsaro da bincike na izini a cikin aikace-aikacen Next.js, mai yuwuwar samun cikakkiyar dama ga ƙayyadaddun albarkatu [S1]. An rarraba wannan raunin a matsayin mai mahimmanci tare da ƙimar CVSS na 9.1 saboda baya buƙatar gata kuma ana iya amfani da shi akan hanyar sadarwar ba tare da hulɗar mai amfani ba [S2].
Tushen Dalili
Lalacewar ya samo asali ne daga yadda Next.js ke aiwatar da ƙananan buƙatun ciki a cikin tsarin gine-ginen na tsakiya [S1]. Aikace-aikacen da suka dogara ga middleware don izini (CWE-863) suna da saukin kamuwa idan ba su tabbatar da ainihin asalin masu rubutun ciki ba [S2]. Musamman, mai kai hari na waje zai iya haɗawa da shugaban x-middleware-subrequest a cikin buƙatarsu don yaudarar tsarin don magance buƙatar a matsayin aiki na cikin gida wanda aka rigaya ya ba da izini, yadda ya kamata ya tsallake dabarun tsaro na tsakiya [S1].
Yadda FixVibe yayi gwajinsa
FixVibe yanzu ya haɗa da wannan azaman bincike mai aiki gated. Bayan tabbatar da yanki, active.nextjs.middleware-bypass-cve-2025-29927 yana neman ƙarshen ƙarshen Next.js wanda ya musanta buƙatun tushe, sannan yana gudanar da bincike mai ƙarfi don yanayin wucewa ta tsakiya. Yana bayar da rahoto ne kawai lokacin da hanyar da aka karewa ta canza daga hanawa zuwa samun dama ga hanyar da ta dace da CVE-2025-29927, kuma saurin gyara yana ci gaba da gyarawa akan haɓaka Next.js da toshe maɓallin tsakiya na ciki a gefen har sai an daidaita shi.
Gyaran Kankare
Saukewa: ZXCVFIXVIBESEG10
- Haɓaka Next.js: Nan da nan sabunta aikace-aikacenku zuwa sigar da aka faci: 12.3.5, 13.5.9, 14.2.25, ko 15.2.3 [S1, S2].
Saukewa: ZXCVFIXVIBESEG11
- Tace Mai Taken Manual: Idan haɓakawa nan take ba zai yiwu ba, saita Wurin Wuta ta Aikace-aikacen Yanar Gizonku (WAF) ko juyi wakili don cire taken
x-middleware-subrequestdaga duk buƙatun waje masu shigowa kafin su isa uwar garken Next.jsZXCVFIXVIBETOKEN.
Saukewa: ZXCVFIXVIBESEG12
- Vercel Ƙaddamarwa *: Ayyukan da aka shirya akan Vercel ana kiyaye su ta hanyar wuta ta dandalin [S2].