.png)
3 days ago
19 BOOK THIS SPACE FOR AD
ARTICLE AD
Next.js is a powerful React framework used to build both server-side rendered (SSR) and static web applications. It simplifies development with file-based routing, API routes, and automatic code splitting, making apps faster and more efficient. With built-in support for SSR, static site generation (SSG), and incremental static regeneration, it boosts performance and SEO. The framework also includes middleware for adding custom logic during request processing. Its API routes make backend tasks easier by enabling serverless functions. Overall, Next.js is a go-to choice for creating scalable, fast, and SEO-friendly web apps.
Companies choose Next.js because it delivers high performance, scalability, and flexibility. Its server-side rendering (SSR) ensures faster load times and better SEO, making websites more discoverable. With static site generation (SSG), pages load instantly, improving user experience. API routes simplify backend development by eliminating the need for a separate server. The middleware feature allows custom security, authentication, and logging. Additionally, automatic code splitting optimizes loading speed by reducing unnecessary JavaScript. Overall, Next.js provides a modern, efficient framework for building fast, scalable, and SEO-friendly applications.
What Happens to Next.js Version 14.2.25 and 15.2.3
Next.js versions 14.2.25 and 15.2.3 contain a critical vulnerability that allows attackers to bypass middleware authorization checks. This flaw occurs due to improper handling of trailing slashes and URL encoding, enabling unauthorized access to protected routes. Attackers can manipulate the URL format to skip middleware validation, potentially exposing sensitive data or restricted resources.
The vulnerability tracked as CVE-2025–29927, carries a CVSS score of 9.1 out of 10.0.
Middleware in Next.js is a function that sits between the request and the response, allowing you to run custom logic before completing the request cycle. It enables you to modify or validate requests, making it useful for authentication, logging, redirects, rate-limiting, and security checks.
Middleware functions are executed before the request reaches the actual route or API handler.It uses Edge Functions, meaning the code runs closer to the user (at the CDN level), improving performance.Middleware can handle incoming requests, modify responses, or even rewrite URLs.// middleware.tsimport { NextResponse } from 'next/server';
export function middleware(req) {
const { pathname } = req.nextUrl;
// Redirect if user is not authenticated
const isAuthenticated = req.cookies.get('auth-token');
if (!isAuthenticated && pathname.startsWith('/dashboard')) {
return NextResponse.redirect('/login');
}
return NextResponse.next();
}
export const config = {
matcher: ['/dashboard/:path*'], // Apply middleware only to dashboard routes
};// middleware.ts (Vulnerable)
import { NextResponse } from 'next/server';
export function middleware(req) {
const { pathname } = req.nextUrl;
// Extract authentication token from cookies
const isAuthenticated = req.cookies.get('auth-token');
// 🛑 Vulnerability: Weak Authorization Check
// Attackers can bypass this by appending a trailing slash or using encoded paths
if (!isAuthenticated && pathname.startsWith('/dashboard')) {
return NextResponse.redirect('/login');
}
return NextResponse.next();
}
export const config = {
matcher: ['/dashboard/:path*'], // Apply middleware only to dashboard routes
};
In your Next.js app, the middleware is applied to requests hitting the /dashboard route due to this configuration
export const config = {
matcher: [‘/dashboard/:path*’], // Middleware applies to /dashboard and subroutes
};
When you intercept the request in Burp Suite, you’re not bypassing the /dashboard route directly — you're exploiting the middleware itself by confusing its URL-matching behavior.
In Burp Suite, you send a request to the middleware-protected route:
GET /dashboard HTTP/1.1Host: example.com
Cookie: auth-token=invalid_token
User-Agent: Mozilla/5.0
Since you have an invalid token, the middleware kicks in and redirects you to /login
Now, you manipulate the URL in Burp Suite by adding a trailing slash or encoding:
GET /dashboard/ HTTP/1.1 ← Trailing Slash ExploitGET /dashboard%2F HTTP/1.1 ← Encoded Slash ExploitThe middleware fails to normalize the URL, treating /dashboard/ as a separate path from /dashboard.This causes the middleware to skip execution, granting unauthorized access.
In the vulnerable middleware:
if (!isAuthenticated && pathname.startsWith('/dashboard')) {return NextResponse.redirect('/login');
}This line only checks for /dashboard, not /dashboard/ or encoded versions.The middleware logic doesn’t normalize the URL, allowing bypass with trailing slashes and encoding.
Here’s how the Burp flow with middleware interaction looks:
GET /dashboard HTTP/1.1Host: example.com
Cookie: auth-token=invalid_token
Middleware Execution: Redirects to /login due to missing authentication
Bypass Request:
GET /dashboard/ HTTP/1.1 ← Trailing SlashHost: example.com
Cookie: auth-token=invalid_tokenThe server treats /dashboard/ as a different path.The middleware doesn’t run, and the attacker gains unauthorized accessNormalize URLs Before Authorization Checks:
→ Use decodeURIComponent() and remove trailing slashes to standardize the URL before middleware validation.
→ This ensures /dashboard, /dashboard/, and /dashboard%2F are treated the same.Strict Matching in Middleware:
→ Use case-insensitive and strict path matching.
→ Convert paths to lowercase and validate against a normalized list to prevent bypass.Upgrade to the Latest Next.js Version:
→ Update to patched versions of Next.js, as the vulnerability is fixed in newer releases.
→ Use npm update next or yarn upgrade next.Add Server-Side Authorization as Backup:
→ Implement server-side authorization checks on protected routes, even if middleware is bypassed.
→ This adds an extra layer of security.
Cheers and peace out!
Want to Know About Us more: Read Here
Below is our Security Quote:
We Break It !! → We Fix It !! → We Secure It!!
We Play Our Own Game and Challenges Over Our Security Ground!
Bengali (Bangladesh) · 
English (United States) ·