-
Notifications
You must be signed in to change notification settings - Fork 526
[GHSA-f82v-jwr5-mffw] Authorization Bypass in Next.js Middleware #6431
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -1,7 +1,7 @@ | ||||||
| { | ||||||
| "schema_version": "1.4.0", | ||||||
| "id": "GHSA-f82v-jwr5-mffw", | ||||||
| "modified": "2025-10-13T15:32:07Z", | ||||||
| "modified": "2025-10-13T15:32:09Z", | ||||||
| "published": "2025-03-21T15:20:12Z", | ||||||
| "aliases": [ | ||||||
| "CVE-2025-29927" | ||||||
|
|
@@ -10,8 +10,8 @@ | |||||
| "details": "# Impact\nIt is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.\n\n# Patches\n* For Next.js 15.x, this issue is fixed in `15.2.3`\n* For Next.js 14.x, this issue is fixed in `14.2.25`\n* For Next.js 13.x, this issue is fixed in 13.5.9\n* For Next.js 12.x, this issue is fixed in 12.3.5\n* For Next.js 11.x, consult the below workaround.\n\n_Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability._\n\n# Workaround\nIf patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the `x-middleware-subrequest` header from reaching your Next.js application.\n\n## Credits\n\n- Allam Rachid (zhero;)\n- Allam Yasser (inzo_)", | ||||||
| "severity": [ | ||||||
| { | ||||||
| "type": "CVSS_V3", | ||||||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" | ||||||
| "type": "CVSS_V4", | ||||||
| "score": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N" | ||||||
| } | ||||||
| ], | ||||||
| "affected": [ | ||||||
|
|
@@ -143,7 +143,7 @@ | |||||
| "CWE-285", | ||||||
| "CWE-863" | ||||||
| ], | ||||||
| "severity": "CRITICAL", | ||||||
| "severity": "LOW", | ||||||
|
||||||
| "severity": "LOW", | |
| "severity": "CRITICAL", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The CVSS v4.0 score is severely incorrect and misrepresents the vulnerability severity. The new score indicates:
This vulnerability allows bypassing authorization checks via network requests with a specific header. The original CVSS v3.1 score (9.1 CRITICAL) correctly reflected this. The new score would rate near 0.0, which is completely inconsistent with the vulnerability description stating it "is possible to bypass authorization checks."
The CVSS v4.0 score should maintain high impact ratings for confidentiality and integrity, network attack vector, and low/no privilege requirements to accurately represent this authorization bypass vulnerability.