CVE-2025-29927 – Next.js (这个不需要翻译，因为已经是英文缩写和专业术语了)

CVE-2025-29927 – Next.js (这个不需要翻译，因为已经是英文缩写和专业术语了)
Next.js version 15.2.3 has been released to address a security vulnerability

原始链接: https://nextjs.org/blog/cve-2025-29927

Next.js 15.2.3 版本已发布，用于解决 CVE-2025-29927 安全漏洞。该漏洞影响使用 `next start` 和 `output: 'standalone'` 的自托管部署。此漏洞允许绕过中间件，可能跳过重要的安全检查，例如授权。此漏洞特别影响依赖中间件进行身份验证或安全检查，且随后未进行验证的应用程序。 **受影响的:** 使用中间件的自托管 Next.js 应用程序。 **不受影响的:** Vercel、Netlify 或静态导出。 **修复方案:** * Next.js 15.x: 更新到 15.2.3 * Next.js 14.x: 更新到 14.2.25 * Next.js 13.x: 更新到 13.5.9 如果无法立即进行修补，请使用 `x-middleware-subrequest` 头阻止外部请求。v12 版本的补丁也计划推出。 Next.js 正在改进其漏洞管理流程，并创建了一个合作伙伴邮件列表以进行主动沟通。请联系 [email protected] 加入。

Next.js框架中发现了一个严重的安全性漏洞CVE-2025-29927，引发了对其安全性以及Vercel声誉的担忧。该漏洞允许绕过中间件，可能跳过关键的授权检查，从而使应用程序面临未授权访问的风险。用户对漏洞的易利用性和Next.js在缺乏经验的开发者中的广泛使用表示担忧，这可能导致大范围的安全风险。问题与内部标头`x-middleware-subrequest`有关，该标头可以被操纵以避免中间件执行。一些开发者正在重新考虑使用Next.js，理由是其持续的变化、关键问题的修复不足以及整体安全性等问题。Django/HTMX和Koa等替代方案因其稳定性和简单性而受到考虑。对中间件进行关键安全功能的依赖放大了此漏洞的影响。

（评论） 2024-09-12

CVE-2023-40547 – 避免错误地信任 HTTP 标头 2024-01-27

（评论） 2024-09-23

（评论） 2025-03-19

原文

Next.js version 15.2.3 has been released to address a security vulnerability (CVE-2025-29927). Additionally, backported patches are available.

We recommend that all self-hosted Next.js deployments using next start and output: 'standalone' should update immediately.

Continue reading for more details on the CVE.

2025-02-27T06:03Z: Disclosure to Next.js team via GitHub private vulnerability reporting
2025-03-14T17:13Z: Next.js team started triaging the report
2025-03-14T19:08Z: Patch pushed for Next.js 15.x
2025-03-14T19:26Z: Patch pushed for Next.js 14.x
2025-03-17T22:44Z: Next.js 14.2.25 released
2025-03-18T00:23Z: Next.js 15.2.3 released
2025-03-18T18:03Z: CVE-2025-29927 issued by GitHub
2025-03-21T10:17Z: Security Advisory published
2025-03-22T21:21Z: Next.js 13.5.9 released

We are also publishing a backport for v12. We will update this post as they are released.

Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops. The security report showed it was possible to skip running Middleware, which could allow requests to skip critical checks—such as authorization cookie validation—before reaching routes.

Affected

Self-hosted Next.js applications using Middleware (next start with output: standalone)
This affects you if you rely on Middleware for auth or security checks, which are not then validated later in your application.
Applications using Cloudflare can turn on a Managed WAF rule

Not affected

Applications hosted on Vercel
Applications hosted on Netlify
Applications deployed as static exports (Middleware not executed)

For Next.js 15.x, this issue is fixed in 15.2.3
For Next.js 14.x, this issue is fixed in 14.2.25
For Next.js 13.x, this issue is fixed in 13.5.9

If patching to a safe version is infeasible, it is recommended that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

We are also publishing a backport for v12. We will update this post as they are released.

Next.js has published 16 security advisories since 2016. Over time, we've continued to improve how we gather, patch, and disclose vulnerabilities.

GitHub Security Advisories and CVEs are industry-standard approaches to notifying users, vendors, and companies of vulnerabilities in software. While we have published a CVE, we missed the mark on partner communications.

To help us more proactively work with partners depending on Next.js, and other infrastructure providers, we are opening a partner mailing list. Please reach out to [email protected] to be included.