next.js's x-middleware-subrequest vulnerability

Mar 22, 202515

AI Translation

This post is translated from Chinese into English through AI.View Original

AI-generated summary

A high-severity vulnerability in Next.js has been identified, which allows for potential attacks by bypassing middleware through subrequests. The issue was publicly disclosed recently, and a fix was committed five days ago. Exploiting the vulnerability appears to be straightforward. The author humorously notes that they have switched from Next.js to Remix, implying that the latter is a safer choice.

Saw a high-risk issue with next.js.

https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw

It vaguely (~~obscene~~) states that blocking x-middleware-subrequest can mitigate the attack.

Commit for the vulnerability fix
https://github.com/vercel/next.js/commit/9704c8e9fcc58236349ed787903831579440a879

The commit was made five days ago, and the CVE was released yesterday. This means it has been lingering in the wild for several days.

Exploitation seems really easy... setting subrequest to true directly bypasses the intermediate logic? (I didn't look very closely)

All I can say is that OpenAI is still a step ahead, having switched from next.js to remix a long time ago, hahahahaha.