Summary: The video discusses a critical vulnerability discovered in the popular JavaScript framework Next.js, which had a CVSS score of 9.1 and was tracked under CVE-2025-29927. Researchers Enzo and Zero revealed that the vulnerability allows for authorization bypass simply by including specific headers in requests.Next.js framework has a serious vulnerability with a CVSS score of 9.1. Tracked under CVE-2025-29927, it allows for authorization bypass. The vulnerability was discovered by researchers Enzo and Zero. Bypassing authorization requires basic knowledge of Burp Suite. X-middleware-sub-request header can completely bypass middleware checks. Proof of concepts demonstrated authorization bypass, CSP bypass, and DOS via cache poisoning. Over 400,000 instances are exposed to this vulnerability. All versions of Next.js 11 and higher are affected. Vercel has confirmed that Next.js deployments on their platform are protected against this vulnerability.
Keypoints:
Youtube Video: https://www.youtube.com/watch?v=tEg3nsQA3qc
Youtube Channel: Hak5
Video Published: Thu, 27 Mar 2025 13:01:24 +0000