This alert is relevant to Australian organisations who utilise affected Next.js versions. This alert is intended to be understood by technical users.
Customers are encouraged to upgrade to the latest version of Next.js, as detailed in the Next.Js Advisory.
Background / What has happened?
- Next.js has published an advisory detailing a vulnerability that could allow a remote attacker to bypass security checks, including many forms of authentication.
- Self-hosted Next.js applications using middleware ("next start" with "output:standalone") are affected.
- Next.js uses an internal header (x-middleware-subrequest) to prevent recursive requests from triggering infinite loops.
- It is possible to skip running middleware, which could allow requests to skip critical checks, such as authorisation cookie validation before reaching routes.
- Affected versions/applications:
- Next.js 15.x versions prior to 15.2.3
- Next.js 14.x versions prior to 14.2.25
- Next.js 13.x versions prior to 13.5.9
- Next.js 12.x versions prior to 12.3.5
Mitigation / How do I stay secure?
The ASD’s ACSC recommends individuals, business, organisations and government entities to:
- Follow Next.js advice for affected versions.
- All self-hosted Next.js deployments should consider updating immediately.
Further information and details to investigate potential compromise can be found in the Next.js Security release.
Assistance / Where can I go for help?
Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).