Skip to content

Patch Next.js CVE-2025-29927 Authentication Bypass Vulnerability #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mlejva merged 1 commit into from
Mar 25, 2025
Merged

Patch Next.js CVE-2025-29927 Authentication Bypass Vulnerability #18

mlejva merged 1 commit into from
Mar 25, 2025

Conversation

@ben-fornefeld
Copy link
Member

@ben-fornefeld ben-fornefeld commented Mar 25, 2025

Upgrades Next.js to the latest patched version to fix critical authentication bypass vulnerability (CVE-2025-29927). This security flaw affects all older versions and could allow attackers to bypass authentication in our application.
The fix addresses an issue with middleware handling that could be exploited via the x-middleware-subrequest header.

@ben-fornefeld ben-fornefeld added the bug Something isn't working label Mar 25, 2025
@ben-fornefeld ben-fornefeld self-assigned this Mar 25, 2025
@linear
Copy link

linear bot commented Mar 25, 2025

E2B-1896 upgrade nextjs to comply with latest cloudflare rules

@vercel
Copy link

vercel bot commented Mar 25, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
web ✅ Ready (Inspect) Visit Preview 💬 Add feedback Mar 25, 2025 1:04pm
web-juliett ✅ Ready (Inspect) Visit Preview 💬 Add feedback Mar 25, 2025 1:04pm

@mlejva mlejva merged commit 9b82736 into main Mar 25, 2025
4 checks passed
@mlejva mlejva deleted the upgrade-nextjs-to-comply-with-latest-cloudflare-rules-e2b-1896 branch March 25, 2025 13:05
@ben-fornefeld ben-fornefeld restored the upgrade-nextjs-to-comply-with-latest-cloudflare-rules-e2b-1896 branch March 26, 2025 11:33
@ben-fornefeld ben-fornefeld mentioned this pull request Mar 26, 2025
Merged
@ben-fornefeld ben-fornefeld mentioned this pull request Apr 4, 2025
Merged
kitchenbeats pushed a commit to kitchenbeats/botlink-dashboard that referenced this pull request Oct 20, 2025
@mlejva
Patch Next.js CVE-2025-29927 Authentication Bypass Vulnerability (e2b…
5e4e34f 
…-dev#18)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mlejva mlejva mlejva approved these changes

@mishushakov mishushakov Awaiting requested review from mishushakov

@jakubno jakubno Awaiting requested review from jakubno

Assignees

@ben-fornefeld ben-fornefeld

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ben-fornefeld @mlejva