Next.js has published a security advisory detailing an authorisation bypass vulnerability present in Next.js, a popular and open-source React-based web development framework that is used to build full-stack web applications in use in the UK and around the world. 

An attacker may be able to exploit this vulnerability by sending a request to the system that is treated as an internal request, bypassing authorisation checks and giving unauthorised access to sensitive data. 

Proof-of-concept exploits for this vulnerability are widely and freely available.

Organisations hosting web applications that use the following versions of Next.js are vulnerable: 

• All versions of 13.x before 13.5.9 
• All versions of 14.x before 14.2.25 
• All versions of 15.x before 15.2.3 
• Versions from 11.1.4 up to (but not including) 12.3.5 

The NCSC recommends following vendor best practice advice to mitigate vulnerabilities. In this case, if you use an affected product, you should take these priority actions: 

1. Update to one of the latest fixed versions listed on the vendor’s website at the earliest opportunity.
2. If updating to a fixed version is not feasible, the vendor has recommended that external user requests containing the “x-middleware-subrequest” header be blocked from reaching your Next.js application. This should be a temporary measure until updating to the latest version is possible.
3. Monitor logs for potential attacks. For example, x-middleware-request header with the value src/middleware:src/middleware:src/middleware:src/middleware:src/middleware.
4. If you suspect a compromise, find out where to report by visiting gov.uk/report-cyber. 

The vendor advisory highlights that this vulnerability is exploitable in self-hosted Next.js applications if authorisation checks occur in Next.js middleware. Applications hosted on Vercel, Netlify, or deployed as static exports are not affected.

The NCSC provides a range of free guidance, services and tools that help to secure systems.

• Follow NCSC guidance including vulnerability management and preventing lateral movement.
• The NCSC Vulnerability Disclosure Toolkit helps organisations of all sizes with the essential components of implementing a vulnerability disclosure process.