Randall Munroe’s XKCD ‘Square Units’
via the comic humor & dry wit of Randall Munroe, creator of XKCD
The post Randall Munroe’s XKCD ‘Square Units’ appeared first on Security Boulevard.
Security Boulevard
CVE-2025-29927: Next.js Middleware Authorization Bypass Flaw
IntroductionOn March 21, 2025, a critical vulnerability, CVE-2025-29927, was publicly disclosed with a CVSS score of 9.1, signifying high severity. Discovered by security researcher Rachid Allam, the flaw enables attackers to bypass authorization checks in Next.js Middleware, potentially granting unauthorized access to protected resources. This poses a risk to applications that rely on Middleware to enforce user authorization, validate session data, control route access, handle redirections, and manage UI visibility based on user roles or permissions. RecommendationsUsers whose applications leverage Next.js Middleware for authorization are strongly urged to: Update applications: Upgrade to the patched version listed in the affected versions section below.Stop header exploits: For applications running version greater than 11.1.4 and less than or equal to 13.5.6, where no secure version is available, configure load balancers or web servers to block external requests containing the x-middleware-subrequest header from reaching the Next.js application.Affected VersionsThe following table describes impacted Next.js versions, along with a corresponding patched version.Impacted VersionPatched Version%26gt; 11.1.4 %26lt;= 13.5.6None%26gt; 12.0 %26lt; 12.3.512.3.5%26gt; 13.0 %26lt; 13.5.913.5.9%26gt; 14.0 %26lt; 14.2.2514.2.25%26gt; 15.0 %26lt; 15.2.315.2.3Table 1: Table of impacted Next.js versions and their corresponding patched versions.BackgroundCVE-2025-29927 is an authorization bypass that allows attackers to circumvent Next.js Middleware controls entirely. By including a specially crafted x-middleware-subrequest HTTP header in requests, attackers can bypass authorization checks and gain unauthorized access to protected resources.Potential impacts of this vulnerability include:Unauthorized access: Attackers could gain access to private resources, APIs, or restricted application areas.Data exposure: Exploiting this flaw could lead to the theft of sensitive user information.Privilege escalation: Attackers might execute malicious actions, such as accessing administrative features or altering server states.Content Security Policy (CSP) Bypass: Middleware could be manipulated to modify CSP headers or cookies, potentially compromising application integrity.Cache poisoning: In certain configurations, attackers could exploit Middleware to force the caching of 404 responses in applications using a CDN between the Next.js application and the end user. This could render application pages unavailable, impacting their availability and disrupting user experience.How It WorksThe vulnerability stems from how Next.js Middleware handles requests through the runMiddleware function. This function evaluates the x-middleware-subrequest header from incoming requests to decide whether middleware checks should be enforced. The header value is split using a colon (:) as a delimiter and compared against the middlewareInfo.name, which represents the path or location of the middleware component. If the comparison matches, the request bypasses authorization checks and proceeds directly to its destination. The figure below shows a diagram of the attack flow.Figure 1: A diagram of the attack flow where an attacker abuses CVE-2025-29927.Originally designed to prevent infinite loops in recursive requests, this mechanism unintentionally introduced a loophole. Attackers can craft malicious x-middleware-subrequest headers to exploit this flaw, bypassing middleware controls and gaining unauthorized access to protected resources. The code enabling this vulnerability is shown in the figure below:Figure 2: Next.js Middleware code that enables CVE-2025-29927.Evolution of Middleware file naming and header parsingEarlier Versions (Pre 12.2): In early versions of Next.js (prior to 12.2), middleware files were named _middleware.ts, and only the Pages Router was available. During this period, the middlewareInfo.name value could be determined as pages/_middleware.ts. Attackers could craft a request header like the one below to bypass authorization checks: x-middleware-subrequest: pages/_middleware Next.js 12.2 and later: Starting with version 12.2, Next.js introduced changes to middleware file naming conventions, dropping the underscore (_) prefix. Middleware files became middleware.ts and could also be placed in a /src directory. The middlewareInfo.name could now be guessed as middleware or src/middleware. The corresponding crafted headers to bypass authorization are the following: x-middleware-subrequest: middleware x-middleware-subrequest: src/middleware Latest versions: In recent versions of Next.js, the logic for parsing the x-middleware-subrequest header evolved. The header value is still split using (:) as a delimiter, but the length of the resulting array (“depth”) is compared to a constant called MAX_RECURSION_DEPTH (defaulting to 5). This is done to calculate the number of subrequests and avoid an infinite loop condition. Middleware checks are applied only if the depth exceeds this threshold. Attackers exploit this logic by including repeated entries in the header to meet the required depth while bypassing middleware checks. For example: x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middlewareThe patchThe implemented fix addresses the vulnerability through two key components:Internal header stripping: All HTTP headers intended for internal use, like x-middleware-subrequest, are stripped from external requests during processing.String validation: The x-middleware-subrequest value is now validated against a randomly generated hexadecimal string, ensuring that only legitimate session requests pass authorization checks.This patch effectively mitigates the authorization bypass and ensures that Middleware components cannot be exploited using tampered request headers. The patched code is shown in the figure below:Figure 3: The patched code corresponds to version 15.2.3 of Next.js Middleware.ConclusionCVE-2025-29927 poses a risk to applications using Next.js Middleware for authorization, especially self-hosted instances. Middleware should supplement, not replace, robust security measures placed closer to the data source. The impact variation across hosting platforms highlights the need to consider deployment context in security planning.Zscaler CoverageThe Zscaler ThreatLabz team has deployed protection for CVE-2025-29927.Zscaler Private Access AppProtection6000919: Next.js Middleware Authorization Bypass (CVE-2025-29927)
The post CVE-2025-29927: Next.js Middleware Authorization Bypass Flaw appeared first on Security Boulevard.
Deleting DNA Data From 23andMe
23andMe, the prominent consumer genetic testing company, filed for Chapter 11 bankruptcy on March 23, 2025, due to declining demand for its services and a significant data breach affecting millions of users. Co-founder Anne Wojcicki resigned as CEO but remains on the company’s board. Implications for Customer Genetic Data The bankruptcy raises concerns about the […]
The post Deleting DNA Data From 23andMe appeared first on Centraleyes.
The post Deleting DNA Data From 23andMe appeared first on Security Boulevard.
The Essential Role of Supply Chain Security in ASPM
Threat actors are continuously evolving their tactics to exploit vulnerabilities and gain unauthorized access. That increasingly involves attacks targeting the software supply chain.
The post The Essential Role of Supply Chain Security in ASPM appeared first on Cycode.
The post The Essential Role of Supply Chain Security in ASPM appeared first on Security Boulevard.
AI Can Now Reverse Engineer Malware – 3 Tools For Your Arsenal
Three powerful AI tools enable analysts to automate complex binary analysis. See how security teams can reverse engineer without additional headcount.
The post AI Can Now Reverse Engineer Malware – 3 Tools For Your Arsenal appeared first on Security Boulevard.
BSidesLV24 – IATC – Living With the Enemy – How To Protect Yourself (And Energy Systems)
Author/Presenter: Emma Stewart Ph.D.
Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.
The post BSidesLV24 – IATC – Living With the Enemy – How To Protect Yourself (And Energy Systems) appeared first on Security Boulevard.
G2 Names INE 2025 Cybersecurity Training Leader
Cary, North Carolina, 27th March 2025, CyberNewsWire
The post G2 Names INE 2025 Cybersecurity Training Leader appeared first on Security Boulevard.
PCI DSS 4.0 Compliance Requires a New Approach to API Security
Retailers, Financial Services, and the API Security Wake-Up Call With the PCI DSS 4.0 compliance deadline fast approaching, Cequence threat researchers have uncovered troubling data: 66.5% of malicious traffic is targeting retailers. And attackers aren’t just after payment data. They’re weaponizing APIs to exploit every stage of the digital buying process. The conclusions in this […]
The post PCI DSS 4.0 Compliance Requires a New Approach to API Security appeared first on Cequence Security.
The post PCI DSS 4.0 Compliance Requires a New Approach to API Security appeared first on Security Boulevard.
5 Must-Know Insights to Help Understand, and Prevent, Financial Cyber Attacks
The post 5 Must-Know Insights to Help Understand, and Prevent, Financial Cyber Attacks appeared first on Votiro.
The post 5 Must-Know Insights to Help Understand, and Prevent, Financial Cyber Attacks appeared first on Security Boulevard.
Business Email Compromise, ACH Transactions, and Liability
Business Email Compromise (BEC) fraud represents one of the most insidious threats facing businesses and individuals today.
The post Business Email Compromise, ACH Transactions, and Liability appeared first on Security Boulevard.
Identity security: A critical defense in 2025’s threat landscape
The traditional perimeter is no longer what protects our critical information and systems. In 2025, securing data is dependent on identity. With distributed multi-cloud, multi-IDP environments, the business world is up against a stark reality: the username and password have become the most dangerous attack vector in cybersecurity. Today, making identity as a Tier 1...
The post Identity security: A critical defense in 2025’s threat landscape appeared first on Strata.io.
The post Identity security: A critical defense in 2025’s threat landscape appeared first on Security Boulevard.
Legit Announces New Vulnerability Prevention Capabilities
Get details on Legit's new capabilities that allow AppSec teams to prevent introducing vulnerabilities..
The post Legit Announces New Vulnerability Prevention Capabilities appeared first on Security Boulevard.
Which frameworks assist in ensuring compliance for NHIs?
Why Compliance Frameworks are Crucial for NHIs? Could the answer to your organization’s cybersecurity woes lie in Non-Human Identities (NHIs)? The management of NHIs and their secrets has emerged as a key facet of cybersecurity strategy, with the potential to significantly decrease the risk of security breaches and data leaks. Non-Human Identities: The Silent Pillars […]
The post Which frameworks assist in ensuring compliance for NHIs? appeared first on Entro.
The post Which frameworks assist in ensuring compliance for NHIs? appeared first on Security Boulevard.
How can I align our NHI management with GDPR and other standards?
Is Your NHI Management GDPR Compliant? It isn’t just humans who have identities, but machines as well. In-depth understanding and control over NHIs provide organizations with an upper hand in maintaining stringent cybersecurity measures. But have you ever paused to question how Non-Human Identities management aligns with GDPR and other comparable standards? NHI Management and […]
The post How can I align our NHI management with GDPR and other standards? appeared first on Entro.
The post How can I align our NHI management with GDPR and other standards? appeared first on Security Boulevard.
Generative AI: threat or opportunity? It depends on your adaptive speed!
Now that AI reasoning capabilities are blasting and becoming accessible, folks tend to argue that generative AI will bring us a new era of exploitation. More zero days, more vulnerabilities, more sophisticated, and in higher frequency. The emergence of more new exploitation techniques will significantly increase the number of new vulnerabilities. We have seen in […]
The post Generative AI: threat or opportunity? It depends on your adaptive speed! appeared first on HolistiCyber.
The post Generative AI: threat or opportunity? It depends on your adaptive speed! appeared first on Security Boulevard.
Broadcom Extends Scope of VMware vDefend Cybersecurity Platform
Broadcom today updated its VMware vDefend platform to add additional security intelligence capabilities along with a streamlined ability to micro-segment networks using code to programmatically deploy virtual firewalls. Additionally, Broadcom has made it simpler to deploy and scale out the Security Services Platform (SSP) it uses to provide a data lake for collecting telemetry data..
The post Broadcom Extends Scope of VMware vDefend Cybersecurity Platform appeared first on Security Boulevard.
MailChimp Under Attack: How Cybercriminals Are Exploiting Email Marketing Platforms
At Constella, we’ve spent years analyzing how cybercriminals execute attacks that affect organizations of all sizes, whether they’re startups, local businesses, or global enterprises. One of the most revealing recent cases involves the abuse of Email Marketing Platforms like MailChimp, whose accounts are being compromised through account takeover (ATO), phishing, and social engineering tactics. These …
The post MailChimp Under Attack: How Cybercriminals Are Exploiting Email Marketing Platforms appeared first on Security Boulevard.
BSidesLV24 – IATC – Difficult Conversations
Author/Presenter: Andrea M. Matwyshyn
Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.
The post BSidesLV24 – IATC – Difficult Conversations appeared first on Security Boulevard.
ADAMnetworks Licensed Technology Partner (LTP) Program
ADAMnetworks Licensed Technology Partner (LTP) Program
Empowering MSPs, MSSPs & MDR Providers with Next-Gen Zero Trust Security
In today’s threat-filled digital landscape, reactive cybersecurity isn’t enough. Businesses, governments, and IT teams need proactive, intelligent defense that prevents attacks before they happen. That’s where ADAMnetworks—and our award-winning Zero Trust connectivity (ZTc) solution—comes in.
Through our Licensed Technology Partner (LTP) program, we equip Managed Service Providers with the tools, training, and support to deliver advanced protection and grow revenue.
“If I were in charge of securing an enterprise, I would not want to do it without this solution.”
— Steve Gibson, Security Expert
✓ Proactive, Zero Trust Defense
Blocks threats like phishing, ransomware, and data exfiltration automatically—even when users make mistakes.
✓ Full Network Visibility
ZTc inventories every connected device and detects unauthorized access instantly—IT, OT, IoT, and IIoT included.
✓ Continuous, Device-Wide Protection
Applies Zero Trust enforcement across the entire network, securing every device and connection with no blind spots.
✓ SC Media’s “Best SASE Solution”
Industry recognition confirms ZTc’s leadership in security innovation.
Revenue Growth
Offer ZTc as a managed service. Generate recurring income through licensing, support, and security monitoring.
Partner Training & Certification
Equip your team (or your clients’) with the knowledge and skills to deploy and support ZTc effectively.
Reduced Complexity
Simplify operations with automatic device inventory, threat traffic shaping, and Shadow IT resolution.
Lead Generation
Get direct referrals from ADAMnetworks to expand your client base.
Market Differentiation
Stand out in a crowded MSP/MSSP market with a unique, award-winning Zero Trust solution.
Built-In Compliance
ZTc aligns with today’s strictest regulatory frameworks—ideal for sectors like finance, healthcare, and government.
Scalable for Any Network
ZTc grows with your clients, protecting small businesses to enterprise environments without complexity.
With ADAMnetworks’ LTP program, you don’t just offer cybersecurity—you deliver peace of mind.
You’ll protect your clients with advanced, always-on defense and build a scalable business around it.
If you’re an MSP, MSSP, or MDR provider ready to offer the next level of cybersecurity, apply now to join the ADAMnetworks Licensed Technology Partner program. We’ll support you every step of the way.
Let’s bring Zero Trust to the front lines—together.
1 post - 1 participant
The post ADAMnetworks Licensed Technology Partner (LTP) Program appeared first on Security Boulevard.
Snow White — Beware the Bad Apple in the Torrent
As the new Snow White movie arrives in theaters with lackluster audience attendance (source), the absence of streaming options on platforms like Disney+ has nudged many users to seek pirated versions online. From our perspective, this kind of consumer behavior isn’t new, every high-profile movie release without a digital option becomes an opportunity for attackers […]
The post Snow White — Beware the Bad Apple in the Torrent appeared first on VERITI.
The post Snow White — Beware the Bad Apple in the Torrent appeared first on Security Boulevard.
The Home of the Security Bloggers Network