[Перевод] Как 9.3 уязвимость ждала открытия 3 года

В крупнейшем JavaScript фреймворке, Next.js, была найдена критическая уязвимость 9.3/10, на исправление которой Vercel потребовалось 13 дней .

https://habr.com/ru/articles/894770/

#javascript #vercel #nextjs #cve #cve202529927 #github

Understanding and Mitigating CVE-2025-29927: A Critical Next.js Vulnerability

https://thedefendopsdiaries.com/understanding-and-mitigating-cve-2025-29927-a-critical-nextjs-vulnerability/

#nextjs
#cve202529927
#websecurity
#middleware
#authorizationbypass

Critical Next.js Middleware Vulnerability (CVE-2025-29927)

A major auth bypass vulnerability in Next.js middleware (prior to v14.2.25 / v15.2.3) allows attackers to inject the x-middleware-subrequest header and bypass authorization entirely. Exploitable via simple HTTP requests—no user interaction, no special permissions.

Patch. Now. Or block the header manually.

GitHub scored this 9.1 CRITICAL, but the real issue? This flaw exposes a systemic weakness in middleware validation, and some vendors weren’t exactly upfront about the risks.

Details + POC: https://zeropath.com/blog/nextjs-middleware-cve-2025-29927-auth-bypass
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29927

Security theater is easy. Secure defaults and transparency are harder—but essential.

#infosec #AppSec #NextJS #CVE202529927 #middleware #securityfail

🔥 Oh no! The Earth-shattering CVE-2025-29927 has been unleashed, bringing the Next.js universe to its knees...or so they say. 🎭 Apparently, to save humanity, you must update ASAP—because nothing screams urgency like a #vulnerability numbering system that sounds like a barcode. 🥳
https://nextjs.org/blog/cve-2025-29927 #CVE202529927 #Nextjs #UpdateUrgency #CyberSecurity #HackerNews #ngated

CVE-2025-29927 – Next.js

https://nextjs.org/blog/cve-2025-29927

#HackerNews #CVE202529927 #Nextjs #Security #Vulnerability #WebDevelopment #CyberSecurity