Aggregator
Advancing Artificial Intelligence Security: Our Partnership with OpenAI and Red Team Operations
CoffeeLoader Malware Loader Linked to SmokeLoader Operations
When Getting Phished Puts You in Mortal Danger
Windows Server 2025 Security Update Freezes Remote Desktop Sessions Connection
A recent security update for Windows Server 2025, released on February 11, 2025 (KB5051987), has caused a significant issue for users relying on Remote Desktop Protocol (RDP). The update, part of Microsoft’s February Patch Tuesday, has led to RDP sessions freezing shortly after connection, rendering mouse and keyboard inputs unresponsive. Microsoft has confirmed this problem, […]
The post Windows Server 2025 Security Update Freezes Remote Desktop Sessions Connection appeared first on Cyber Security News.
Alleged Sale of Cyber Mail Checker Tool
Akira
RansomHub
The 4 WordPress flaws hackers targeted the most in Q1 2025
GorillaBot Attacks Windows Devices With 300,000+ Attack Commands Across 100+ Countries
A new botnet named “GorillaBot,” has orchestrated over 300,000 attack commands across more than 100 countries within a span of just three weeks. Built on the infamous Mirai botnet framework, GorillaBot represents a sophisticated malware evolution. It leverages advanced encryption and evasion techniques to target industries ranging from telecommunications to finance and education. Discovered by […]
The post GorillaBot Attacks Windows Devices With 300,000+ Attack Commands Across 100+ Countries appeared first on Cyber Security News.
Red wolf ceyber Targeted the Website of Cumhuriyet Halk Partisi (CHP)
Valve 证实 Steam 简体中文玩家超过英语玩家
Akira
Akira
How to manage and protect your biometric data
Biometric data refers to unique physical or behavioral characteristics that are used to verify a person’s identity. Revoking or changing biometric data is more complicated than changing passwords. Unlike passwords, biometric identifiers like fingerprints or retina scans are unique and permanent. This makes it particularly vulnerable if stolen. Cybercriminals can use stolen biometric information to impersonate someone and bypass security systems, putting personal accounts and data at risk. Many people are unaware of how their … More →
The post How to manage and protect your biometric data appeared first on Help Net Security.
CVE-2025-29927: Next.js Middleware Authorization Bypass Flaw
IntroductionOn March 21, 2025, a critical vulnerability, CVE-2025-29927, was publicly disclosed with a CVSS score of 9.1, signifying high severity. Discovered by security researcher Rachid Allam, the flaw enables attackers to bypass authorization checks in Next.js Middleware, potentially granting unauthorized access to protected resources. This poses a risk to applications that rely on Middleware to enforce user authorization, validate session data, control route access, handle redirections, and manage UI visibility based on user roles or permissions. RecommendationsUsers whose applications leverage Next.js Middleware for authorization are strongly urged to: Update applications: Upgrade to the patched version listed in the affected versions section below.Stop header exploits: For applications running version greater than 11.1.4 and less than or equal to 13.5.6, where no secure version is available, configure load balancers or web servers to block external requests containing the x-middleware-subrequest header from reaching the Next.js application.Affected VersionsThe following table describes impacted Next.js versions, along with a corresponding patched version.Impacted VersionPatched Version%26gt; 11.1.4 %26lt;= 13.5.6None%26gt; 12.0 %26lt; 12.3.512.3.5%26gt; 13.0 %26lt; 13.5.913.5.9%26gt; 14.0 %26lt; 14.2.2514.2.25%26gt; 15.0 %26lt; 15.2.315.2.3Table 1: Table of impacted Next.js versions and their corresponding patched versions.BackgroundCVE-2025-29927 is an authorization bypass that allows attackers to circumvent Next.js Middleware controls entirely. By including a specially crafted x-middleware-subrequest HTTP header in requests, attackers can bypass authorization checks and gain unauthorized access to protected resources.Potential impacts of this vulnerability include:Unauthorized access: Attackers could gain access to private resources, APIs, or restricted application areas.Data exposure: Exploiting this flaw could lead to the theft of sensitive user information.Privilege escalation: Attackers might execute malicious actions, such as accessing administrative features or altering server states.Content Security Policy (CSP) Bypass: Middleware could be manipulated to modify CSP headers or cookies, potentially compromising application integrity.Cache poisoning: In certain configurations, attackers could exploit Middleware to force the caching of 404 responses in applications using a CDN between the Next.js application and the end user. This could render application pages unavailable, impacting their availability and disrupting user experience.How It WorksThe vulnerability stems from how Next.js Middleware handles requests through the runMiddleware function. This function evaluates the x-middleware-subrequest header from incoming requests to decide whether middleware checks should be enforced. The header value is split using a colon (:) as a delimiter and compared against the middlewareInfo.name, which represents the path or location of the middleware component. If the comparison matches, the request bypasses authorization checks and proceeds directly to its destination. The figure below shows a diagram of the attack flow.Figure 1: A diagram of the attack flow where an attacker abuses CVE-2025-29927.Originally designed to prevent infinite loops in recursive requests, this mechanism unintentionally introduced a loophole. Attackers can craft malicious x-middleware-subrequest headers to exploit this flaw, bypassing middleware controls and gaining unauthorized access to protected resources. The code enabling this vulnerability is shown in the figure below:Figure 2: Next.js Middleware code that enables CVE-2025-29927.Evolution of Middleware file naming and header parsingEarlier Versions (Pre 12.2): In early versions of Next.js (prior to 12.2), middleware files were named _middleware.ts, and only the Pages Router was available. During this period, the middlewareInfo.name value could be determined as pages/_middleware.ts. Attackers could craft a request header like the one below to bypass authorization checks: x-middleware-subrequest: pages/_middleware Next.js 12.2 and later: Starting with version 12.2, Next.js introduced changes to middleware file naming conventions, dropping the underscore (_) prefix. Middleware files became middleware.ts and could also be placed in a /src directory. The middlewareInfo.name could now be guessed as middleware or src/middleware. The corresponding crafted headers to bypass authorization are the following: x-middleware-subrequest: middleware x-middleware-subrequest: src/middleware Latest versions: In recent versions of Next.js, the logic for parsing the x-middleware-subrequest header evolved. The header value is still split using (:) as a delimiter, but the length of the resulting array (“depth”) is compared to a constant called MAX_RECURSION_DEPTH (defaulting to 5). This is done to calculate the number of subrequests and avoid an infinite loop condition. Middleware checks are applied only if the depth exceeds this threshold. Attackers exploit this logic by including repeated entries in the header to meet the required depth while bypassing middleware checks. For example: x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middlewareThe patchThe implemented fix addresses the vulnerability through two key components:Internal header stripping: All HTTP headers intended for internal use, like x-middleware-subrequest, are stripped from external requests during processing.String validation: The x-middleware-subrequest value is now validated against a randomly generated hexadecimal string, ensuring that only legitimate session requests pass authorization checks.This patch effectively mitigates the authorization bypass and ensures that Middleware components cannot be exploited using tampered request headers. The patched code is shown in the figure below:Figure 3: The patched code corresponds to version 15.2.3 of Next.js Middleware.ConclusionCVE-2025-29927 poses a risk to applications using Next.js Middleware for authorization, especially self-hosted instances. Middleware should supplement, not replace, robust security measures placed closer to the data source. The impact variation across hosting platforms highlights the need to consider deployment context in security planning.Zscaler CoverageThe Zscaler ThreatLabz team has deployed protection for CVE-2025-29927.Zscaler Private Access AppProtection6000919: Next.js Middleware Authorization Bypass (CVE-2025-29927)
The post CVE-2025-29927: Next.js Middleware Authorization Bypass Flaw appeared first on Security Boulevard.