Critical Flaw in Next.js lets Attackers bypass Authorization.
A recent collaborative effort by researchers Rachid Allam and Yasser Allam has exposed a critical vulnerability within the Next.js framework, a widely used JavaScript framework based on React with nearly 10 million weekly downloads.
https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
![[ImageSource: zhero-web-sec]
The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0.
"Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops," Next.js said in an advisory. "It was possible to skip running middleware, which could allow requests to skip critical checks [such as authorization cookie validation] before reaching routes."
<https://nextjs.org/blog/cve-2025-29927>
The shortcoming has been addressed in versions 12.3.5, 13.5.9, 14.2.25 and 15.2.3. If patching is not an option, it's recommended that users prevent external user requests that contain the x-middleware-subrequest header from reaching the Next.js application.
⚠️The company also said any host website that utilizes middleware to authorize users without any additional authorization checks is vulnerable to CVE-2025-29927, potentially enabling attackers to access otherwise unauthorized resources (e.g., admin pages).⚠️](https://nerdculture.de/system/media_attachments/files/114/234/341/495/174/533/original/d2d061af71c4a9f2.jpeg "[ImageSource: zhero-web-sec]
The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0.
\"Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops,\" Next.js said in an advisory. \"It was possible to skip running middleware, which could allow requests to skip critical checks [such as authorization cookie validation] before reaching routes.\"
<https://nextjs.org/blog/cve-2025-29927>
The shortcoming has been addressed in versions 12.3.5, 13.5.9, 14.2.25 and 15.2.3. If patching is not an option, it's recommended that users prevent external user requests that contain the x-middleware-subrequest header from reaching the Next.js application.
⚠️The company also said any host website that utilizes middleware to authorize users without any additional authorization checks is vulnerable to CVE-2025-29927, potentially enabling attackers to access otherwise unauthorized resources (e.g., admin pages).⚠️")
Ein Hackerangriff auf #Oracle sorgt für Aufsehen. Mehrere Unternehmen haben bestätigt, dass ihre #Kundendaten, die ein Angreifer online veröffentlicht hat, echt sind.
Laut #Sicherheitsforschern nutzte der Angreifer eine #Schwachstelle in der veralteten #Middleware Oracle Fusion Middleware 11g. #Oracle hatte den Vorfall zunächst abgestritten. Betroffen sind bis zu sechs Millionen #Datensätze.
Red Hat Middleware moving to IBM http://markclittle.blogspot.com/2025/03/red-hat-middleware-moving-to-ibm.html by @nmcl
#redhat #ibm #middleware
»Critical Next.js Middleware Vulnerability Allows Attackers to Bypass Authorization:
A severe vulnerability has been identified in Next.js, a popular React framework used for building web applications, under the designation CVE-2025-29927.«
Well, I have to give it up and look at it.
https://gbhackers.com/critical-next-js-middleware-vulnerability/
Critical Next.js Middleware Vulnerability (CVE-2025-29927)
A major auth bypass vulnerability in Next.js middleware (prior to v14.2.25 / v15.2.3) allows attackers to inject the x-middleware-subrequest header and bypass authorization entirely. Exploitable via simple HTTP requests—no user interaction, no special permissions.
Patch. Now. Or block the header manually.
GitHub scored this 9.1 CRITICAL, but the real issue? This flaw exposes a systemic weakness in middleware validation, and some vendors weren’t exactly upfront about the risks.
Details + POC: https://zeropath.com/blog/nextjs-middleware-cve-2025-29927-auth-bypass
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29927
Security theater is easy. Secure defaults and transparency are harder—but essential.
@mookie also wothput #Backend or #Middleware we'd constantly see #Skiddies fuck up everything!
Building A Dynamic PHP Router Library
Hey people 
, ever wondered how URLs are routed to fancy actions in web apps? 
Check out my latest tutorial 
where I break down PHP routing with handlers, middleware, and dynamic URLs!
→ Learn more here: https://smsk.dev/go/7k5u2/
Let's simplify the complex! #PHP #WebDevelopment #Middleware #Routing 
@Noupside just saw you on @bloomberg with regard to #middleware and heard #mastodon get a fleeting mention.
Exploit für PS5 Hypervisor kommt bald
#Gaming #Jailbreaks #Byepervisor #eXecuteOnlyMemory #hardweario #Hypervisor #Middleware #VirtualMachineMonitor https://sc.tarnkappe.info/7dbde6
Lazy Rack: is there a rack middleware that will print stats like how many requests per second? Need to test some async HTTP code that sends lots of requests.
#ruby #rack #middleware
"I never meant to end up writing #middleware for a living"
New Geospatial Data Startup Streamlines Satellite Imagery Visualization
--
https://techcrunch.com/2024/03/05/new-geospatial-data-startup-streamlines-satellite-imagery-visualization/ <-- shared media article
--
[sharing of this article is of course not an endorsement]
#GIS #spatial #remotesensing #processing #servers #datastorage #dataprocessing #middleware #earthobservation #spatialdata #alldataisspatial #imagery #visualisation #startup #Fused #spatialanalysis #usecase #appliedscience #ai #datavisualisation #businessmodel #serverless #industry #commercial #api #gateway #satellite
Say 'hi' if you're a Product Manager or know what that is!
I'm getting back into my IT design head space, so I've added Enterprise Software and middleware to my profile.
IT Solution Design/ Product management in software development was my last corporate thing.
"Product managers are often thought of as sitting at the intersection of business, design, and technology." - Wikipedia 
@RickiTarr 2/ So everything gets much smaller. Implants and #neural interfaces are one possible future, but there are many unknowns along that path. Instead, think #wearables. An earring maybe.
(2) #Software (more generally, re-programability) offers plenty of opportunity for #innovation. #Middleware will be key. For example, self-organizing distributed virtual #computing systems will be far more powerful than any standalone device.
okay, it's not just me... the #mongoose #middleware is just really poorly designed. Really frustrating for those of us coming from an #activeRecord world where things are just a lot more mature.
Just wish I hadn't lost the hours I just spent banging my head against this. But at least I know now to just not attempt anything non-trivial via middleware.
@bobwyman @J12t Yes, a #SemanticWeb user-agent can handle that.
For example, the sponger #middleware module of our #VirtuosoRDBMS can do that.
Re Prospective Search, the focal point is variables in the body of a #SPARQL query that satisfy conditions expressed in relations.
A query solution can always optionally include document identifiers (a/k/a named graphs).
Example: https://tinyurl.com/4kwzvu28
I will do a quick #introduction...
Mainly a tech geek that is currently focused on tech such as #kubernetes #terraform #ansible and general #cicd technologies.
Love my #homelab, but would like to get into more of a minimal power homelab. Using #rancher with RKE2 and EKS (kubernetes) that is mostly automated. I also dabble in #vmware and #mikrotik, but previous backgrounds are in many #middleware technologies.
Excited to learn more about #fediverse as I go.
Eben eine seeehr alte #Traefik #Middleware aus meiner Traefik-Anfangszeit, die ich fürs #SchenklRadioLeaks brauche, eben das erste mal tatsächlich auch verstanden und auf etwas portiert, das ich inner Arbeit brauche :)
Greg Cocks 
️ 
