Summary: The video discusses a critical vulnerability (CVE 2025 29927) found in Next.js, a popular React framework, prior to versions 14.2.25 and 15.2.3. This flaw allows unauthorized access by bypassing authorization checks in middleware, and the vulnerability was addressed in subsequent software updates. The presenter explains how the exploit works and demonstrates a proof of concept.
Keypoints:
- CVE 2025 29927 is a critical vulnerability in Next.js with a CVSS score of 9.1.
- The vulnerability allows bypassing authorization checks when middleware is improperly set up.
- Fixed versions of Next.js are 14.2.25 and 15.2.3; earlier versions remain vulnerable.
- The exploit relies on the
x-middleware-subrequestHTTP header to skip authorization checks. - Researchers Zhero and Enzo discovered the vulnerability and shared their findings publicly.
- The video includes a demonstration of creating a vulnerable application to illustrate the exploit.
- Workarounds include blocking requests containing the vulnerable header to protect applications.
- The exploitable logic was traced back to specific code in old Next.js versions concerning middleware handling.
- Subsequent changes in the framework aim to prevent similar exploits by validating middleware requests through server-generated IDs.
- The rapid response by Vercel, the company behind Next.js, to address the vulnerability was noted as a positive aspect.
Youtube Video: https://www.youtube.com/watch?v=dL1a0KcAW3Y
Youtube Channel: John Hammond
Video Published: Mon, 24 Mar 2025 13:00:58 +0000