3.7.0 released to avoid Authorization to be bypassed in middlewares

[frederikprijck]

Hey everyone,

Security researchers have found a vulnerability in Next.js that allows Authorization to be bypassed in middlewares (advisory).
As our SDK relies on middleware, using our SDK with a version of Next.js that has the vulnerability, puts your application(s) at risk.
The resolution here is to not use any version of Next.js in your application that is vulnerable. This means, you should ensure your application uses any of the following versions of Next.js:

• v12.3.5 or above
• v13.5.9 or above
• v14.2.25 or above
• v15.2.3 or above

To help with resolution here, we have changed our peer dependency for v3 of our SDK from "next": ">=10" to "next": "^10.0.0 || ^11.0.0 || ^12.3.5 || ^13.5.9 || ^14.2.25 || ^15.2.3" (See PR)
Even though this is technically a breaking change, we have made the decision to release this as a minor version bump, we hope for your understanding of breaking semversioning here, with the sole purpose to help guide you to use a non-vulnerable version of Next.js and keep your applications secure.

For V3, the change has been released as 3.7.0.

Please read the in-depth article about the issue and the resolution, as well as the Vercel blog post, and know that upgrading the version of Next.js is the recommended path. If for some reason, upgrading Next.js to any non-vulnerable version is not possible, the workaround is to block any x-middleware-subrequest header in your middleware:

export function middleware(request: NextRequest) {
  if (request.headers.has('x-middleware-subrequest')) {
    return new Response('Unauthorized', { status: 401 });
  }
  return NextResponse.next();
}

Important resources on the subject:

• Vercel blog post
• Cloudflare blog post
• Message from Netlify on X

Note that applications running on Vercel or Netlify are not affected by the vulnerability.

If you have any questions, feedback or concerns, reply below so we can help address them.

[frederikprijck]

Vercel has cut a new set of releases that remove the support for x-middleware-subrequest altogether. We recommend ensuring to set your version of NextJS to any of:

• 13.5.10
• 12.3.6
• 14.2.26
• 15.2.4

This ensures the vulnerable code no longer exists, rather than the vulnerability being addressed.