Home 零对冲(ZeroHedge)每日HackerNews

(评论)
(comments)

原始链接: https://news.ycombinator.com/item?id=43448723

Next.js框架中发现了一个严重的安全性漏洞CVE-2025-29927,引发了对其安全性以及Vercel声誉的担忧。该漏洞允许绕过中间件,可能跳过关键的授权检查,从而使应用程序面临未授权访问的风险。用户对漏洞的易利用性和Next.js在缺乏经验的开发者中的广泛使用表示担忧,这可能导致大范围的安全风险。问题与内部标头`x-middleware-subrequest`有关,该标头可以被操纵以避免中间件执行。一些开发者正在重新考虑使用Next.js,理由是其持续的变化、关键问题的修复不足以及整体安全性等问题。Django/HTMX和Koa等替代方案因其稳定性和简单性而受到考虑。对中间件进行关键安全功能的依赖放大了此漏洞的影响。

相关文章
  • CVE-2025-29927 – Next.js (这个不需要翻译,因为已经是英文缩写和专业术语了) 2025-03-22
  • (评论) 2024-09-12
  • (评论) 2024-03-09
  • (评论) 2024-02-28
  • (评论) 2023-10-26
    • 原文
    Hacker News new | past | comments | ask | show | jobs | submit login
    		CVE-2025-29927 – Next.js (nextjs.org)
    33 points by makepanic 1 hour ago | hide | past | favorite | 13 comments










    Vercel’s reputation is so cooked. Jeez.

    reply



    it only took 16 days to triage a global next.js auth bypass

    reply



    > Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops. The security report showed it was possible to skip running Middleware, which could allow requests to skip critical checks—such as authorization cookie validation—before reaching routes.

    reply



    We opted for self-hosted next.js as the architecture for the web app we are building because we believed a lot of the hype.

    The more comments I read about it in HN, the less comfortable I feel about this decision.

    reply



    I spent about a week coding in it trying to to figure out what the hype was about. I decided to go with django/htmx. A year later I have absolutely no regrets.

    reply



    Is NextJS considered safe? Would you build something for the government or a big Corp with it?

    reply



    No. I wasn't concerned about security but just churn. They keep changing things. They also don't fix stuff people care about alot.

    I'd just use Koa and keep it simple.

    reply



    This is one of the worst security vulnerabilities I have seen in a while. It's so blatant, so easy to exploit. So many nextjs applications written by beginners that are completely exposed.

    reply



    Middleware skipping could expose all kinds of problems. A lot is done in middleware that the rest of the code can lay back and assume is dealt with.

    reply



    It's going to take awhile for the LLMs to catch up so we can un-vibe our way out of this

    reply



    Unvibe AI (YC S25) is hiring.

    reply



    Written by anybody

    reply



    Vibe coding framework of choice

    reply







    Join us for AI Startup School this June 16-17 in San Francisco!


    Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact



    Search:
    联系我们 contact @ memedata.com