[Перевод] Как 9.3 уязвимость ждала открытия 3 года
В крупнейшем JavaScript фреймворке, Next.js, была найдена критическая уязвимость 9.3/10, на исправление которой Vercel потребовалось 13 дней .
Understanding and Mitigating CVE-2025-29927: A Critical Next.js Vulnerability
#nextjs
#cve202529927
#websecurity
#middleware
#authorizationbypass
Critical Next.js Middleware Vulnerability (CVE-2025-29927)
A major auth bypass vulnerability in Next.js middleware (prior to v14.2.25 / v15.2.3) allows attackers to inject the x-middleware-subrequest header and bypass authorization entirely. Exploitable via simple HTTP requests—no user interaction, no special permissions.
Patch. Now. Or block the header manually.
GitHub scored this 9.1 CRITICAL, but the real issue? This flaw exposes a systemic weakness in middleware validation, and some vendors weren’t exactly upfront about the risks.
Details + POC: https://zeropath.com/blog/nextjs-middleware-cve-2025-29927-auth-bypass
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29927
Security theater is easy. Secure defaults and transparency are harder—but essential.
Oh no! The Earth-shattering CVE-2025-29927 has been unleashed, bringing the Next.js universe to its knees...or so they say. 
Apparently, to save humanity, you must update ASAP—because nothing screams urgency like a #vulnerability numbering system that sounds like a barcode. 
https://nextjs.org/blog/cve-2025-29927 #CVE202529927 #Nextjs #UpdateUrgency #CyberSecurity #HackerNews #ngated
