John Hammond Explores Critical Vulnerability in Next.js
In this video, John Hammond explores a critical vulnerability in Next.js, a React framework for building full-stack web applications. The vulnerability, identified by CVE 2025-29927, allows for bypassing authorization checks in Next.js applications if these checks are performed in the middleware. This flaw has been fixed in versions 14.2.25 and 15.2.3 of Next.js, but it received a CVSS score of 9.1, classifying it as critical. Hammond begins by explaining that this vulnerability has sparked much discussion in the front-end development community, particularly because it involves popular technologies like React, Vercel, and Next.js. He clarifies that he is not a front-end developer but has a good understanding of vulnerabilities and cybersecurity. The vulnerability was discovered by security researchers, and their work is available on GitHub and other platforms. Technically, the vulnerability relies on the use of the "x-middleware-subrequest" header in HTTP requests. If this header contains a specific value, it can bypass authorization checks in the Next.js middleware. Hammond demonstrates this by creating a vulnerable proof-of-concept application using an older version of Next.js. He uses Docker to create a container with Next.js version 12.2 and adds authentication features to illustrate the vulnerability. Using tools like curl and Burp Suite, Hammond shows how to exploit this flaw to access protected pages without providing credentials. He explains that this vulnerability could have serious implications, especially if the application allows template modifications, file uploads, or code execution. He also highlights that this flaw could be used for "cache poisoning" attacks, making a site's pages unusable. Hammond also discusses the fixes implemented by the Vercel team. The solution involves generating a secret identifier server-side for middleware requests, preventing clients from bypassing authorization checks. He notes that Vercel acted quickly to fix the vulnerability, which is a positive point despite initial criticism. In conclusion, this video provides a detailed analysis of the CVE 2025-29927 vulnerability in Next.js, explaining its practical implications and demonstrating how it can be exploited. Hammond ends by encouraging developers to stay vigilant and apply the necessary patches to secure their applications.