order @order

12 posts12 participants0 posts today

**IT News** @itnewsbot@schleuss.online · 2d

This Week in Security: IngressNightmare, NextJS, and Leaking DNA - This week, researchers from Wiz Research released a series of vulnerabilities in t... - https://hackaday.com/2025/03/28/this-week-in-security-ingressnightmare-nextjs-and-leaking-dna/ #thisweekinsecurity #ingressnightmare #hackadaycolumns #securityhacks #23andme #nextjs #news

Hackaday · 2dThis Week In Security: IngressNightmare, NextJS, And Leaking DNAThis week, researchers from Wiz Research released a series of vulnerabilities in the Kubernetes Ingress NGINX Controller that, when chained together, allow an unauthorized attacker to completely t…

**Captain Steph** @sirber@fosstodon.org · 3d

Captain Steph @sirber@fosstodon.org

Yay I can add basic customers in my CRM project! Trying to learn #nextjs and #prisma.

#webdev #TypeScript

Replied in thread

**Thibaud Colas** @thibaudcolas@fosstodon.org · 3d

Thibaud Colas @thibaudcolas@fosstodon.org

@carlton @EmmaDelescolle @wsvincent bonus chart for you two. I’d love to see this compared to #Rails / #Laravel / #nextjs. I think "75% of current downloads are for a supported version" is a solid achievement but am only 75% sure of that.

Downloads of supported Django versions. Percentage of PyPI downloads of Django versions that are under mainstream or extended support. Line chart from 2016 (around 30%) to March 2025 (around 75%). In-between, the line is bumpy but stays between 55 and 80% through 2018 to now.

**Olly** @Olly42 · 3d

Olly @Olly42

Critical Flaw in Next.js lets Attackers bypass Authorization.

A recent collaborative effort by researchers Rachid Allam and Yasser Allam has exposed a critical vulnerability within the Next.js framework, a widely used JavaScript framework based on React with nearly 10 million weekly downloads.

https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

Their research, documented in a detailed publication, reveals a flaw in the Next.js middleware that allows for unauthorized access and control, impacting all versions of the framework. This flaw, designated CVE-2025-29927 and rated as critical.

<https://nvd.nist.gov/vuln/detail/CVE-2025-29927>

Reportedly, the vulnerability specifically targets the middleware function, which is a component designed to execute code before a request is completed and is frequently used for crucial security functions, including authentication and authorization. However, the discovered vulnerability allows attackers to bypass these security measures.

The core of the vulnerability lies in the handling of the “x-middleware-subrequest” header. By manipulating this header with a specific value, attackers can effectively ignore the middleware’s intended rules, gaining unauthorized access. As Allam explained, “The header and its value act as a universal key allowing rules to be overridden.”

[ImageSource: zhero-web-sec]

The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0.

"Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops," Next.js said in an advisory. "It was possible to skip running middleware, which could allow requests to skip critical checks [such as authorization cookie validation] before reaching routes."

<https://nextjs.org/blog/cve-2025-29927>

The shortcoming has been addressed in versions 12.3.5, 13.5.9, 14.2.25 and 15.2.3. If patching is not an option, it's recommended that users prevent external user requests that contain the x-middleware-subrequest header from reaching the Next.js application.

⚠️The company also said any host website that utilizes middleware to authorize users without any additional authorization checks is vulnerable to CVE-2025-29927, potentially enabling attackers to access otherwise unauthorized resources (e.g., admin pages).⚠️

#nextjs #middleware #it

**Nils Hartmann** @nilshartmann@norden.social · 3d

Nils Hartmann @nilshartmann@norden.social

Vielen Dank für Orga, Teilnahme und die rege Diskussion rund um das Thema #NextJS gestern bei der #JugHH!

Hier findet ihr Links zur Beispiel-Anwendungen und zum Live-Coding-Code: https://react.schule/jughh-nextjs

Bis zum nächsten Mal

PS: Wenn euch das Thema interessiert, und ihr in der Region #Dortmund unterwegs seid: im April halte ich den Vortrag dort auf der User Group von #Codecentric: https://www.meetup.com/codecentric-dortmund-tech-talk/events/305897148

Screenshot von Webstorm, in dem eine fiktive Java- und eine NextJS-Datei geöffnet ist

Titelfolie des Vortrags mit dem Titel "Das Frontend im Backend - Webanwendungen mit Next.js"

**Inautilo** @inautilo@mastodon.social · 4d *

4d *

Inautilo @inautilo@mastodon.social

#Development #Insights
Before choosing Next.js · What to know about the web development framework https://ilo.im/162zgl

_____
#OpenSource #Vercel #NextJS #React #JavaScript #Framework #Hosting #WebDev #Frontend #Backend

Build TimesYou should know this before choosing Next.jsPicking the technology stack for a project is an important and consequential decision. In the enterprise space in particular, it often involves a multi-year commitment with long-lasting implications on the roadmap of the project, the pace of its development, the quality of the deliverables, and even the ability to assemble and maintain a happy team.The open-source software model is a fundamental answer to this. By using software that is developed in the open, anyone is free to extend it or modify it in whatever way fits their use case. More crucially, the portability of open-source software gives developers and organisations the freedom to move their infrastructure between different providers without fear of getting locked in to a specific vendor.This is the expectation with Next.js, an open-source web development framework created and [governed by Vercel](https://nextjs.org/governance), a cloud provider that offers managed hosting of Next.js as a service.

**Miron** @hmiron@fosstodon.org · 4d

Miron @hmiron@fosstodon.org

https://astro.build/ and https://vanilla-extract.style/ are a great fit.

I'm migrating from NextJS to Astro and all my complex styles are ported over with no changes. This makes my job so much easier.

AstroAstroAstro builds fast content sites, powerful web applications, dynamic server APIs, and everything in-between.

#WebDev #nextjs #react

**Captain Steph** @sirber@fosstodon.org · 5d

Captain Steph @sirber@fosstodon.org

What are your thoughts on Vercel and Next JS? It seems like a walked garden to me...

#react #JavaScript #nextjs

**platform.sh** @platformsh@mastodon.social · 5d *

5d *

platform.sh @platformsh@mastodon.social

[Tutorial ] Trying to modernize your Symfony setup? This new guide shows how to decouple your frontend using Next.js—for better performance, faster deploys, and dev workflow wins.

It’s practical, detailed, and designed to help you iterate faster without breaking your architecture.

https://brnw.ch/DecoupleyourSymfonyfrontendwithnextjs

#Symfony #Nextjs #WebDev

**The New Oil** @thenewoil@mastodon.thenewoil.org · 5d

The New Oil @thenewoil@mastodon.thenewoil.org

Critical flaw in #Nextjs lets hackers bypass authorization

https://www.bleepingcomputer.com/news/security/critical-flaw-in-nextjs-lets-hackers-bypass-authorization/

#cybersecurity

**Nils Hartmann** @nilshartmann@norden.social · 5d *

5d *

Nils Hartmann @nilshartmann@norden.social

HEUTE (Mittwoch, 26.3.) ist "Fremdsprachen-Tag" bei der #JUG Hamburg: Ich möchte euch das #React-Framework #NextJS vorstellen und mit klassischen #Java-Architekturen vergleichen (mal sehen, ob das klappt...)

Freue mich, euch ab 19 Uhr zu sehen: https://www.meetup.com/jug-hamburg/events/306742794

MeetupDas Frontend im Backend: Webanwendungen mit Next.js, Wed, Mar 26, 2025, 7:00 PM | MeetupEinmal mehr möchte ich die JUG HH mit einem “Fremdsprachen”-Vortrag kapern und mit euch in die JavaScript-Frontend-Welt eintauchen. Wobei sich diese Frontend-Welt zum große

#JavaUserGroup #Hamburg #Webdev

**Caravana Blues** @caravana@mastodon.social · 5d

Caravana Blues @caravana@mastodon.social

Exploring SSR Patterns: Next.js, Nuxt.js, and Alternatives https://chat-to.dev/post?id=TVRpYklqejFjdnlZQXlHR3JHU0Jkdz09 #nextjs #nuxtjs #javascript #programming

**Sam Stepanyan** @securestep9@infosec.exchange · 6d

Sam Stepanyan @securestep9@infosec.exchange

#NextJS: Critical #vulnerability in NextJS (CVE-2025-29927) impacts all NextJS versions before 15.2.3, 14.2.25, 13.5.9, 12.3.5 allowing attackers to bypass authorisation checks.

Great explanation and a Proof-of-Concept demonstration by @_JohnHammond

https://www.youtube.com/watch?v=dL1a0KcAW3Y

YouTubethe CRITICAL 9.1 severity Next.js vulnerabilityBy John Hammond

**Karthikeyan A K** @mindaslab@mstdn.social · 6d

Karthikeyan A K @mindaslab@mstdn.social

Looking for freelance #NextJS devs. Potential to earn upto ₹20K a week.

#JavaScript #Job #WebDev

**Vale** @vale@fedi.vale.rocks · 6d

Vale @vale@fedi.vale.rocks

Reject modernity (Next.js); embrace tradition (PHP).

#NextJS #PHP #WebDev

**𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕 (ô¿ô)** @kubikpixel@chaos.social · 6d

𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕 (ô¿ô) @kubikpixel@chaos.social

»Critical Next.js Middleware Vulnerability Allows Attackers to Bypass Authorization:
A severe vulnerability has been identified in Next.js, a popular React framework used for building web applications, under the designation CVE-2025-29927.«

Well, I have to give it up and look at it.

https://gbhackers.com/critical-next-js-middleware-vulnerability/

GBHackers Security | #1 Globally Trusted Cyber Security News Platform · Mar 24Critical Next.js Middleware Vulnerability Allows Attackers to Bypass AuthorizationA severe vulnerability has been identified in Next.js, a popular React framework used for building web applications, under the designation CVE-2025-29927.

#javascript #nextjs #webdev

**Frontend Dogma** @frontenddogma@mas.to · 6d

Frontend Dogma @frontenddogma@mas.to

Next.js vs. TanStack, by @gill_kyle@x.com:

https://www.kylegill.com/essays/next-vs-tanstack/

www.kylegill.comNext.js vs TanStackSee this post for inspiration. Over the past few months, I've moved as much code as possible away from Next.js . While I see why people…

#nextjs #comparisons

**Socket** @SocketSecurity@fosstodon.org · Mar 24

Mar 24

Socket @SocketSecurity@fosstodon.org

Next.js has patched a critical vulnerability that lets attackers bypass auth middleware in self-hosted apps. Immediate action is necessary: patch now.

https://socket.dev/blog/next-js-patches-critical-middleware-vulnerability #nextjs #javascript

SocketNext.js Patches Critical Middleware Vulnerability (CVE-2025-...Next.js has patched a critical vulnerability (CVE-2025-29927) that allowed attackers to bypass middleware-based authorization checks in self-hosted ap...

**Konstantin** @kpwn@infosec.exchange · Mar 23

Mar 23

Konstantin @kpwn@infosec.exchange

With #CVE_2025_29927, Next.js has now suffered its second major vulnerability in just three months, following #CVE_2024_51479.

I originally built CVE Crowd with #NextJS.

However, as the application became more complex (especially with authentication), I decided to switch to a framework I was more familiar with.

Honestly, I’m feeling a bit relieved about that right now...

#Pentesting #AppSec #InfoSec

**Suzanne Aldrich (she/her)** @suzannealdrich@hachyderm.io · Mar 23

Mar 23

Suzanne Aldrich (she/her) @suzannealdrich@hachyderm.io

Critical Next.js Middleware Vulnerability (CVE-2025-29927)

A major auth bypass vulnerability in Next.js middleware (prior to v14.2.25 / v15.2.3) allows attackers to inject the x-middleware-subrequest header and bypass authorization entirely. Exploitable via simple HTTP requests—no user interaction, no special permissions.

Patch. Now. Or block the header manually.

GitHub scored this 9.1 CRITICAL, but the real issue? This flaw exposes a systemic weakness in middleware validation, and some vendors weren’t exactly upfront about the risks.

Details + POC: https://zeropath.com/blog/nextjs-middleware-cve-2025-29927-auth-bypass
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29927

Security theater is easy. Secure defaults and transparency are harder—but essential.

zeropath.comNext.js Middleware Exploit: Deep Dive into CVE-2025-29927 Authorization Bypass - ZeroPath BlogExplore the critical CVE-2025-29927 vulnerability in Next.js middleware, enabling attackers to bypass authorization checks and gain unauthorized access.

#infosec #AppSec #NextJS

Recent searches

Search options

Administered by:

Server stats:

#nextjs