Paanga
Ka taea e te kaiwhaiwhai te karo i te arorau haumarutanga me nga arowhai whakamanatanga i roto i nga tono Next.js, tera pea ka whai waahi katoa ki nga rauemi herea [S1]. Ko tenei whakaraeraetanga he mea tino nui ki te kaute CVSS o 9.1 na te mea karekau he painga ka taea te whakamahi i runga i te whatunga me te kore taunekeneke a te kaiwhakamahi [S2].
Take Putake
Ko te whakaraeraetanga i ahu mai i te mahi a Next.js i nga tono-a-roto i roto i tana hoahoanga waenga [S1]. Ko nga tono e whakawhirinaki ana ki te middleware mo te whakamanatanga (CWE-863) ka ngawari ki te kore e tika te whakamana i te takenga mai o nga pane o roto [S2]. Inaa, ka taea e te kaikohuru o waho te whakauru i te pane x-middleware-subrequest i roto i ta raatau tono ki te tinihanga i te anga ki te mahi i te tono hei mahi a-roto kua whakamanahia, me te peke i te arorau haumarutanga o te middleware [S1].
Me pehea te whakamatautau a FixVibe
Ko te FixVibe kei roto i tenei waa he haki hohe kuaha. Whai muri i te manatokonga rohe, ka rapua e active.nextjs.middleware-bypass-cve-2025-29927 nga tohu mutunga Next.js e whakahē ana i te tono rarangi turanga, katahi ka whakahaere i te tirotiro mana whaiti mo te ahuatanga o te takai waenga. Ka puta noa i te wa ka huri te huarahi whakamarumaru mai i te aukati ki te uru atu ki te CVE-2025-29927, a ko te tere whakatika ka aro tonu ki te whakahou i te Next.js me te aukati i te pane waenga waenga i te taha tae noa ki te papaki.
Whakatika Raima
- Whakahou Next.js: Whakahou tonu to tono ki te putanga papaki: 12.3.5, 13.5.9, 14.2.25, 15.2.3 ranei [S1, S2].
- Tatari Pane A-ringa: Ki te kore e taea te whakamohoatanga tonu, whirihorahia to Paerewa Taupānga Tukutuku (WAF) hei takawaenga whakamuri ranei hei tango i te pane
x-middleware-subrequestmai i nga tono o waho katoa ka tae mai i mua i to taenga atu ki te Next.js tūmau ZXCVFIXZVIBETOK. - Vercel Deployment: Ko nga tukunga e whakahaerehia ana i runga i te Vercel ka tiakina marietia e te papaahi o te papaahi [S2].