Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps) fix Next.js critical vulnerability #1987

Merged
merged 1 commit into from
Mar 24, 2025
Merged

chore(deps) fix Next.js critical vulnerability #1987

merged 1 commit into from
Mar 24, 2025

Conversation

melloware
Copy link
Collaborator

@melloware
Copy link
Collaborator Author

Impact
It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches
For Next.js 15.x, this issue is fixed in 15.2.3
For Next.js 14.x, this issue is fixed in 14.2.25
For Next.js 13.x, this issue is fixed in 13.5.9
For Next.js 12.x, this issue is fixed in 12.3.5
For Next.js 11.x, consult the below workaround.
Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround
If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

@melloware melloware merged commit 0d3e6e7 into orval-labs:master Mar 24, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anymaniax anymaniax anymaniax approved these changes

@soartec-lab soartec-lab Awaiting requested review from soartec-lab

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@melloware @anymaniax