Unauthorized Access in Next.js Due to Authentication Flaws
In a recent security advisory, the Australian Cyber Security Centre (ACSC) has advised users to upgrade certain versions of Next.js due to a vulnerability that could potentially allow a remote attacker to bypass security checks, including many forms of authentication.
The issue stems from a vulnerability that allows skipping Middleware in Next.js, which could bypass critical checks. This vulnerability affects self-hosted Next.js applications using Middleware. However, it's important to note that applications hosted on Vercel and Netlify, as well as those deployed as static exports, are not affected by this vulnerability.
The specific versions affected by this issue are Next.js 12.x, 13.x, and 14.x. The vulnerability in Next.js 12.x is fixed in version 12.3.5, in Next.js 13.x it is fixed in version 13.5.9, in Next.js 14.x it is fixed in version 14.2.25, and in Next.js 15.x it is fixed in version 15.2.3.
For users who rely on Middleware for authentication or security checks in their applications, it's crucial to upgrade to a safe version as soon as possible. If patching to a safe version is infeasible, it is recommended to prevent external user requests containing the x-middleware-subrequest header from reaching the Next.js application.
To further mitigate this vulnerability, applications using Cloudflare can turn on a Managed WAF rule. This rule can help block requests that contain the x-middleware-subrequest header, thereby protecting the application from potential attacks.
It's worth noting that there are no specific publicly disclosed organizations using Next.js that are affected by the mentioned security risk while not hosting on Vercel or Netlify and not deploying as static exports in the provided search results.
In conclusion, while this vulnerability does pose a potential threat to self-hosted Next.js applications using Middleware, taking the necessary steps to upgrade to a safe version and implementing additional security measures can help protect your application from potential attacks. Stay vigilant and keep your applications secure!
