Listen to this Post
A critical vulnerability (CVE-2025-29927) has been discovered in Next.js, allowing attackers to bypass authentication mechanisms implemented at the middleware layer. Affected versions include:
- Next.js 15.x < 15.2.3
- Next.js 14.x < 14.2.25
- Next.js 13.x < 13.5.9
Details & POC:
You Should Know:
1. Verify Your Next.js Version
Run the following command to check your Next.js version:
npm list next
Or for global installations:
npm list -g next
2. Patch Immediately
Upgrade to the patched versions:
npm install [email protected] # For Next.js 15.x npm install [email protected] # For Next.js 14.x npm install [email protected] # For Next.js 13.x
3. Test Middleware Authentication
Create a test route (`/test-auth`) and enforce middleware:
[javascript]
// middleware.js
import { NextResponse } from ‘next/server’;
export function middleware(request) {
const authToken = request.cookies.get(‘authToken’);
if (!authToken) {
return NextResponse.redirect(new URL(‘/login’, request.url));
}
return NextResponse.next();
}
export const config = {
matcher: ‘/test-auth’,
};
[/javascript]
4. Simulate Exploit (For Validation)
Use `curl` to test if middleware bypass is possible:
curl -I http://localhost:3000/test-auth -H "X-Bypass: true"
If the response is `200 OK` instead of a redirect, the vulnerability exists.
5. Mitigation Workaround (If Patching Delayed)
Add a custom header check in `middleware.js`:
[javascript]
if (request.headers.get(‘X-Bypass’)) {
return NextResponse.redirect(new URL(‘/blocked’, request.url));
}
[/javascript]
6. Log Suspicious Activity
Enable Next.js server logs:
next start --log-level debug
Monitor for unexpected requests:
grep "X-Bypass" next.log
What Undercode Say:
This vulnerability highlights the risks of relying solely on middleware for authentication. Always implement:
– Defense-in-depth: Layer server-side checks (e.g., API route validations).
– Zero-trust logging: Audit all middleware interactions.
– Linux hardening: Use `fail2ban` to block exploit attempts:
fail2ban-regex /var/log/next.log "X-Bypass"
For Windows, enforce IPSec rules via PowerShell:
New-NetFirewallRule -DisplayName "Block Next.js Exploit" -Direction Inbound -Protocol TCP -LocalPort 3000 -Action Block -RemoteAddress 123.456.789.0/24
Expected Output:
- Patched Next.js versions.
- No `200 OK` responses on protected routes.
- Logs showing blocked bypass attempts.
Relevant URLs:
References:
Reported By: Zlatanh Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
