GHSA-f82v-jwr5-mffw

Suggest an improvement
Source
https://github.com/advisories/GHSA-f82v-jwr5-mffw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-f82v-jwr5-mffw/GHSA-f82v-jwr5-mffw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f82v-jwr5-mffw
Aliases
Related
Published
2025-03-21T15:20:12Z
Modified
2025-03-28T15:31:53Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Authorization Bypass in Next.js Middleware
Details

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

  • For Next.js 15.x, this issue is fixed in 15.2.3
  • For Next.js 14.x, this issue is fixed in 14.2.25
  • For Next.js 13.x, this issue is fixed in 13.5.9
  • For Next.js 12.x, this issue is fixed in 12.3.5
  • For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

  • Allam Rachid (zhero;)
  • Allam Yasser (inzo_)
Database specific
{
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T15:20:12Z",
    "cwe_ids": [
        "CWE-285"
    ],
    "severity": "CRITICAL",
    "nvd_published_at": "2025-03-21T15:15:42Z"
}
References

Affected packages

npm / next

Package

Affected ranges

Type
SEMVER
Events
Introduced
13.0.0
Fixed
13.5.9

npm / next

Package

Affected ranges

Type
SEMVER
Events
Introduced
14.0.0
Fixed
14.2.25

npm / next

Package

Affected ranges

Type
SEMVER
Events
Introduced
15.0.0
Fixed
15.2.3

npm / next

Package

Affected ranges

Type
SEMVER
Events
Introduced
11.1.4
Fixed
12.3.5