{"id":2481,"date":"2025-03-25T19:57:51","date_gmt":"2025-03-25T19:57:51","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2481"},"modified":"2025-03-25T19:57:51","modified_gmt":"2025-03-25T19:57:51","slug":"warning-for-developers-web-admins-update-next-js-to-prevent-exploit","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2481","title":{"rendered":"Warning for developers, web admins: update Next.js to prevent exploit"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Developers and web admins using the Next.js framework for building or managing interactive web applications should install a security update to plug a critical vulnerability.<\/p>\n<p>The vulnerability, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-29927\">CVE-2025-29927<\/a>, allows an authorization bypass if the <a href=\"https:\/\/nextjs.org\/docs\/app\/building-your-application\/routing\/middleware\">\u201cmiddleware\u201d<\/a> function is enabled for linking to a service. This vulnerability is critical if the middleware that Next.js is connecting to performs security functions such as authorization, access control, or checking if session cookies are valid.<\/p>\n<p>\u201cThis vulnerability would allow you to by-pass that check,\u201d noted Johannes Ullrich, dean of research at the SANS Institute.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Developers and web admins using the Next.js framework for building or managing interactive web applications should install a security update to plug a critical vulnerability. The vulnerability, CVE-2025-29927, allows an authorization bypass if the \u201cmiddleware\u201d function is enabled for linking to a service. This vulnerability is critical if the middleware that Next.js is connecting to [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2482,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2481","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2481"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2481"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2481\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2482"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2481"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2481"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}