CVE-2025-29927：Next.js中间件授权绕过 ZXCVFIXVIBESEND ZXCVFIXVIBESEG1 CVE-2025-29927 中间件授权通过 x-middleware-subrequest 标头欺骗绕过。影响版本 11.x 到 15.x。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG2 CVE-2025-29927 中的一个严重漏洞允许攻击者绕过中间件中实现的授权检查。通过欺骗内部标头，外部请求可以伪装成授权的子请求，从而导致对受保护路由和数据的未经授权的访问。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG3 ## 影响 ZXCVFIXVIBESEND ZXCVFIXVIBESEG4 攻击者可以绕过 ZXCVFIXVIBETOKEN2ZXCV 应用程序中的安全逻辑和授权检查，从而可能获得对受限资源 CVE-2025-29927 的完全访问权限。该漏洞被归类为严重漏洞，CVSS 评分为 9.1，因为它不需要任何特权，并且无​​需用户交互即可通过网络利用 Next.js。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG5 ## 根本原因 ZXCVFIXVIBESEND ZXCVFIXVIBESEG6 该漏洞源于 ZXCVFIXVIBETOKEN5ZXCV 在其中间件架构 Next.js 中处理内部子请求的方式。如果依赖中间件进行授权 (ZXCVFIXVIBETOKEN4ZXCV) 的应用程序未正确验证内部标头 ZXCVFIXVIBETOKEN2ZXCV 的来源，则它们很容易受到影响。具体来说，外部攻击者可以在其请求中包含 CVE-2025-29927 标头，以欺骗框架将请求视为已授权的内部操作，从而有效地跳过中间件的安全逻辑 ZXCVFIXVIBETOKEN3ZXCV。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG7 ## CVE-2025-29927 如何测试它 ZXCVFIXVIBESEND ZXCVFIXVIBESEG8 ZXCVFIXVIBETOKEN2ZXCV 现在将此作为门控主动检查。域验证后，CVE-2025-29927 查找拒绝基线请求的 ZXCVFIXVIBETOKEN3ZXCV 端点，然后针对中间件绕过条件运行窄控制探测。仅当受保护的路由以与 Next.js 一致的方式从拒绝更改为可访问时才会报告，并且修复提示将修复重点放在升级 ZXCVFIXVIBETOKEN4ZXCV 并阻止边缘的内部中间件标头直至修补。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG9 ## 具体修复 ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 * **升级 CVE-2025-29927**：立即将您的应用程序更新到已修补的版本：12.3.5、13.5.9、14.2.25 或 15.2.3 [S1、S2]。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG11 * **手动标头过滤**：如果无法立即升级，请配置 Web 应用程序防火墙 (WAF) 或反向代理，以在所有传入外部请求到达 ZXCVFIXVIBETOKEN2ZXCV 服务器 Next.js 之前从所有传入外部请求中剥离 CVE-2025-29927 标头。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG12 * **Next.js 部署**：ZXCVFIXVIBETOKEN2ZXCV 上托管的部署受到平台防火墙 CVE-2025-29927 的主动保护。

Impact

An attacker can bypass security logic and authorization checks in Next.js applications, potentially gaining full access to restricted resources [S1]. This vulnerability is classified as critical with a CVSS score of 9.1 because it requires no privileges and can be exploited over the network without user interaction [S2].

Root Cause

The vulnerability stems from how Next.js processes internal sub-requests within its middleware architecture [S1]. Applications that rely on middleware for authorization (CWE-863) are susceptible if they do not properly validate the origin of internal headers [S2]. Specifically, an external attacker can include the x-middleware-subrequest header in their request to trick the framework into treating the request as an already-authorized internal operation, effectively skipping the middleware's security logic [S1].

How FixVibe tests for it

FixVibe now includes this as a gated active check. After domain verification, active.nextjs.middleware-bypass-cve-2025-29927 looks for Next.js endpoints that deny a baseline request, then runs a narrow control probe for the middleware bypass condition. It reports only when the protected route changes from denied to accessible in a way consistent with CVE-2025-29927, and the fix prompt keeps remediation focused on upgrading Next.js and blocking the internal middleware header at the edge until patched.

Concrete Fixes

• Upgrade Next.js: Immediately update your application to a patched version: 12.3.5, 13.5.9, 14.2.25, or 15.2.3 [S1, S2].
• Manual Header Filtering: If an immediate upgrade is not possible, configure your Web Application Firewall (WAF) or reverse proxy to strip the x-middleware-subrequest header from all incoming external requests before they reach the Next.js server [S1].
• Vercel Deployment: Deployments hosted on Vercel are proactively protected by the platform's firewall [S2].