Next.js中间件中的授权绕过漏洞
Next.js应用中若授权检查在中间件中进行,则可能绕过授权。已修复版本包括15.2.3、14.2.25等;无法升级时建议阻止带x-middleware-subrequest头的请求。Vercel部署的应用自动受保护。贡献者:Allam Rachid和Allam Yasser。 2025-3-24 09:6:0 Author: github.com(查看原文) 阅读量:14 收藏
Next.js应用中若授权检查在中间件中进行,则可能绕过授权。已修复版本包括15.2.3、14.2.25等;无法升级时建议阻止带x-middleware-subrequest头的请求。Vercel部署的应用自动受保护。贡献者:Allam Rachid和Allam Yasser。 2025-3-24 09:6:0 Author: github.com(查看原文) 阅读量:14 收藏
It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
- For Next.js 15.x, this issue is fixed in
15.2.3 - For Next.js 14.x, this issue is fixed in
14.2.25 - For Next.js versions
11.1.4thru13.5.6we recommend consulting the below workaround.
Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.
If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.
Credits
- Allam Rachid (zhero;)
- Allam Yasser (inzo_)
文章来源: https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh