4.2.0 released to avoid Authorization to be bypassed in middlewares #1991
                  
                    
                      frederikprijck
                    
                  
                
                  announced in
                Announcements
              
            Replies: 2 comments
-
| We will also be patching v3 as soon as possible with the same changes, here's the PR for v3: #1989 | 
Beta Was this translation helpful? Give feedback.
                  
                    0 replies
                  
                
            -
| Vercel has cut a new set of releases that remove the support for  
 This ensures the vulnerable code no longer exists, rather than the vulnerability being addressed. | 
Beta Was this translation helpful? Give feedback.
                  
                    0 replies
                  
                
            
  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment
  
        
    
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hey everyone,
Security researchers have found a vulnerability in Next.js that allows Authorization to be bypassed in middlewares (advisory).
As our SDK relies on middleware, using our SDK with a version of Next.js that has the vulnerability, puts your application(s) at risk.
The resolution here is to not use any version of Next.js in your application that is vulnerable. This means, you should ensure your application uses any of the following versions of Next.js:
To help with resolution here, we have changed our peer dependency for v4 of our SDK from
"next": "^14.0.0 || ^15.0.0"to"next": "^14.2.25 || ^15.2.3"(See PR)Even though this is technically a breaking change, we have made the decision to release this as a minor version bump, we hope for your understanding of breaking semversioning here, with the sole purpose to help guide you to use a non-vulnerable version of Next.js and keep your applications secure.
For V4, the change has been released as 4.2.0.
Please read the in-depth article about the issue and the resolution, as well as the Vercel blog post, and know that upgrading the version of Next.js is the recommended path. If for some reason, upgrading Next.js to any non-vulnerable version is not possible, the workaround is to block any
x-middleware-subrequestheader in your middleware:Important resources on the subject:
Note that applications running on Vercel or Netlify are not affected by the vulnerability.
If you have any questions, feedback or concerns, reply below so we can help address them.
Beta Was this translation helpful? Give feedback.
All reactions