FixVibe
Covered by FixVibecritical

CVE-2025-29927: Next.js Middleware Authorization Bypass

Ukuba sengozini okubalulekile ku-Next.js kuvumela abahlaseli ukuthi badlule ukuhlolwa kokugunyazwa okusetshenziswa ku-middleware. Ngokonakalisa izihloko zangaphakathi, izicelo zangaphandle zingenza njengezicelo ezincane ezigunyaziwe, okuholela ekufinyeleleni okungagunyaziwe emizila nedatha evikelekile.

CVE-2025-29927GHSA-F82V-JWR5-MFFWCWE-863CWE-285

Umthelela

Umhlaseli angakwazi ukudlula ingqondo yezokuvikela nokuhlolwa kokugunyazwa kuzinhlelo zokusebenza ze-Next.js, okungenzeka athole ukufinyelela okugcwele kuzinsiza ezikhawulelwe [S1]. Lokhu kuba sengozini kubhekwa njengokubalulekile ngesikolo se-CVSS esingu-9.1 ngenxa yokuthi akudingi amalungelo futhi kungaxhashazwa ngenethiwekhi ngaphandle kokusebenzelana komsebenzisi [S2].

Imbangela

Ubungozi busukela endleleni i-Next.js ecubungula ngayo izicelo ezincane zangaphakathi ngaphakathi kwe-middleware architecture [S1]. Izinhlelo zokusebenza ezithembele ku-middleware ukuze zigunyazwe (CWE-863) zisengozini uma zingaqinisekisi kahle umsuka wezihloko zangaphakathi [S2]. Ngokucacile, umhlaseli wangaphandle angafaka unhlokweni we-x-middleware-subrequest esicelweni sakhe sokukhohlisa uhlaka ukuthi luphathe isicelo njengomsebenzi wangaphakathi osewugunyaziwe kakade, weqa ngempumelelo i-logic yezokuphepha ye-middleware [S1].

I-FixVibe iyihlolela kanjani

I-FixVibe manje ihlanganisa lokhu njengesheke elisebenzayo elinesango. Ngemuva kokuqinisekiswa kwesizinda, i-active.nextjs.middleware-bypass-cve-2025-29927 ibheka izindawo zokugcina ze-Next.js ezenqaba isicelo sesisekelo, bese isebenzisa uphenyo lokulawula oluwumngcingo lwesimo sokudlula i-middleware. Ibika kuphela uma umzila ovikelwe ushintsha usuka ekunqatshelweni ukuya ekufinyelelekeni ngendlela ehambisana ne-CVE-2025-29927, futhi umyalo wokulungisa ugcina ukulungiswa kugxile ekuthuthukiseni i-Next.js kanye nokuvimba unhlokweni wangaphakathi we-middleware onqenqemeni uze ucishiwe.

Ukulungiswa kukakhonkolo

  • Thuthukisa i-Next.js: Buyekeza ngokushesha uhlelo lwakho lokusebenza lube inguqulo enamathiselwe: 12.3.5, 13.5.9, 14.2.25, noma 15.2.3 [S1, S2].
  • Ukuhlunga Kwesihloko Ngesandla: Uma ukuthuthukiswa okusheshayo kungenzeki, lungiselela i-Web Application Firewall (WAF) noma uhlehlise ummeleli ukuze ukhumule unhlokweni we-x-middleware-subrequest kuzo zonke izicelo zangaphandle ezingenayo ngaphambi kokuba zifinyelele kuseva ye-Next.js ZXCVFIXVIZXCVENC.
  • Vercel Ukuthunyelwa: Ukuthunyelwa okusingathwe ku-Vercel kuvikelwa ngokusebenzayo i-firewall yenkundla i-[S2].