Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NVercel Next.js
APPVercel11.1.4 – 12.3.5 (bez)13.0.0 – 13.5.9 (bez)14.0.0 – 14.2.25 (bez)15.0.0 – 15.2.3 (bez)
Related vulnerabilities
RCE bez uwierzytelnienia w React Server Components (deserializacja)
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2....
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2....
Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2....
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2...