惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Apple Machine Learning Research
Apple Machine Learning Research
AWS News Blog
AWS News Blog
Google DeepMind News
Google DeepMind News
U
Unit 42
博客园 - 叶小钗
博客园 - 聂微东
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
有赞技术团队
有赞技术团队
aimingoo的专栏
aimingoo的专栏
D
DataBreaches.Net
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Jina AI
Jina AI
美团技术团队
The Cloudflare Blog
M
MIT News - Artificial intelligence
Microsoft Azure Blog
Microsoft Azure Blog
I
InfoQ
S
Schneier on Security
C
Check Point Blog
Project Zero
Project Zero
The Hacker News
The Hacker News
Scott Helme
Scott Helme
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Cisco Talos Blog
Cisco Talos Blog
P
Privacy International News Feed
SecWiki News
SecWiki News
Latest news
Latest news
MongoDB | Blog
MongoDB | Blog
S
Secure Thoughts
Google Online Security Blog
Google Online Security Blog
F
Fortinet All Blogs
博客园 - 三生石上(FineUI控件)
H
Help Net Security
TaoSecurity Blog
TaoSecurity Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Last Week in AI
Last Week in AI
P
Privacy & Cybersecurity Law Blog
Forbes - Security
Forbes - Security
G
GRAHAM CLULEY
N
Netflix TechBlog - Medium
L
Lohrmann on Cybersecurity
A
About on SuperTechFans
T
The Exploit Database - CXSecurity.com
C
Cisco Blogs
PCI Perspectives
PCI Perspectives
大猫的无限游戏
大猫的无限游戏
T
Troy Hunt's Blog
H
Hacker News: Front Page
Vercel News
Vercel News

Vercel News

Vercel Open Source Program: Winter 2026 cohort How Notion Workers run untrusted code at scale with Vercel Sandbox How we run Vercel's CDN in front of Discourse From idea to secure checkout in minutes with Stripe Building Slack agents can be easy Scaling redirects to infinity on Vercel Advancing Python typing Gamma builds design-first agents with Vercel How Avalara turns pipe dreams into patent-pending with v0 Keeping community human while scaling with agents How OpenEvidence built a healthcare AI that physicians actually trust Security boundaries in agentic architectures Skills Night: 69,000+ ways agents are getting smarter Video Generation with AI Gateway We Ralph Wiggumed WebStreams to make them 10x faster How Stably ships AI testing agents in hours, not weeks How we built AEO tracking for coding agents Anyone can build agents, but it takes a platform to run them Introducing Geist Pixel The Vercel AI Accelerator is back with $6m in credits Making agent-friendly pages with content negotiation The Vercel OSS Bug Bounty program is now available Introducing the new v0 Run untrusted code with Vercel Sandbox, now generally available How Stripe built a game-changing app in a single flight with v0 How Sensay went from zero to product in six weeks AGENTS.md outperforms skills in our agent evals Agent skills explained: An FAQ Testing if "bash is all you need" AWS databases are now live on the Vercel Marketplace and v0 Use Perplexity Web Search with Vercel AI Gateway Introducing: React Best Practices Nick Bogaty joins Vercel as Chief Revenue Officer How Mux shipped durable video workflows with their @mux/ai SDK How to build agents with filesystems and bash How we made v0 an effective coding agent Stopping the slow death of internal tools Building AI-Generated Pixel Trading Cards with Vercel AI Gateway We removed 80% of our agent’s tools AI SDK 6 Our $1 million hacker challenge for React2Shell Cline now runs on Vercel AI Gateway How to prompt v0 Build smarter workflows with Notion and v0 Vercel launches partner certification Inside Workflow DevKit: How framework integrations work React2Shell Security Bulletin | Vercel Knowledge Base Billions of requests: Black Friday-Cyber Monday 2025 Investing in the Python ecosystem AWS Databases coming to the Vercel Marketplace How we built the v0 iOS app Workflow Builder: Build your own workflow automation platform Vercel Open Source Program: Fall 2025 cohort Self-driving infrastructure Vercel collaborates with Google for Gemini 3 Pro Preview launch Vercel: The anti-vendor-lock-in cloud How Nous Research used BotID to block automated abuse at scale How AI Gateway runs on Fluid compute What we learned building agents at Vercel Build and deploy data applications on Snowflake with v0 BotID Deep Analysis catches a sophisticated bot network in real-time Vercel achieves TISAX AL2 compliance to serve automotive partners Bun runtime on Vercel Functions David Totten Joins Vercel to Lead Global Field Engineering Vercel Ship AI 2025 recap You can just ship agents AI agents and services on the Vercel Marketplace Built-in durability: Introducing Workflow Development Kit Zero-config backends on Vercel AI Cloud Introducing Vercel Agent: Your new Vercel teammate Update regarding Vercel service disruption on October 20, 2025 Agents at work, a partnership with Salesforce and Slack Running Next.js in ChatGPT: How to Build ChatGPT Apps Talha Tariq joins Vercel as CTO of Security Just another (Black) Friday Server rendering benchmarks: Fluid Compute and Cloudflare Workers Towards the AI Cloud: Our Series F Collaborating with Anthropic on Claude Sonnet 4.5 to power intelligent coding agents Preventing the stampede: Request collapsing in the Vercel CDN BotID uncovers hidden SEO poisoning How we made global routing faster with Bloom filters What you need to know about vibe coding Scale to one: How Fluid solves cold starts Addressing security & quality issues with MCP tools - Vercel AI agents at scale: Rox’s Vercel-powered revenue operating system Agentic Infrastructure Zero Data Retention on AI Gateway Optimizing Vercel Sandbox snapshots How Waldium made a blog platform work for humans and AI alike How FLORA shipped a creative agent on Vercel's AI stack Agent responsibly Making Turborepo 96% faster with agents, sandboxes, and humans Unified reporting for all AI Gateway usage new.website joins forces with v0 SERHANT.'s playbook for rapid AI iteration Two startups at global scale without DevOps Chat SDK brings agents to your users 360 billion tokens, 3 million customers, 6 engineers Meet the 2026 Vercel AI Accelerator Cohort Build knowledge agents without embeddings
Postmortem on Next.js Middleware bypass - Vercel – Vercel
Ty Sbano · 2025-03-25 · via Vercel News

5 min read

Last week, we published CVE-2025-29927 and patched a critical severity vulnerability in Next.js. Here’s our post-incident analysis and next steps.

Link to headingTimeline

Link to heading2025-02-27

On 27 Feb 2025 06:03:00 GMT, the vulnerability was disclosed to the Next.js team through GitHub private reporting. The researchers also emailed security@vercel.com.

The initial report disclosed the vulnerability in older versions of Next.js (12.x). Due to the old version range, this was given lower priority in our triage queue.

Link to heading2025-03-01

An additional email was sent at 01 Mar 2025 02:00:00 GMT in a new thread, which extended the affected scope to more recent versions.

Due to multiple reports submitted and internal conversations, triaging was delayed.

Link to heading2025-03-05

We began investigating the report to understand the validity and potential impact.

Our security team responded at 05 Mar 2025 10:38:00 GMT outlining our plans to release an LTS policy (now published) which would place Next.js 11.x and 12.x out of support for security patches.

Link to heading2025-03-14

Our security team raised the report to the Next.js team to begin researching impact and remediation options at 14 Mar 2025 17:18:00 GMT. The Next.js engineering team confirmed the vulnerability as valid.

Since Next.js can be hosted in multiple ways, all paths needed to be examined.

  1. Static exports were immediately ruled out due to Middleware not being available without a server runtime.

  2. We then confirmed self-hosted Next.js applications using next start and output: 'standalone' were impacted.

  3. We then investigated impact on Vercel. The Next.js routing logic is decoupled and runs in a separate system, distributed globally. This made Vercel incidentally invulnerable.

  4. Our team then examined open-source Next.js adapters for deploying to other infrastructure platforms. Netlify and Cloudflare Workers were confirmed to never have been affected, for the same decoupling of application routing.

On Friday, we determined the best solution for fixing forward was to add validation when the x-middleware-subrequest header was passed—then, filter it out if the validation failed. We also listed a workaround for applications unable to upgrade by filtering out the header before it hit the Next.js server. The team began preparing patches for Next.js 15.x and 14.x.

Link to heading2025-03-17

On Monday, a pull request containing the patch was opened on the Next.js GitHub repository on 17 Mar 2025 17:54:00 GMT.

It was then merged at 17 Mar 2025 20:56:00 GMT.

A patch was released for Next.js 14.2.25 at 17 Mar 2025 22:44:00 GMT and Next.js 15.2.3 at 18 Mar 2025 00:23:00 GMT.

Link to heading2025-03-18

CVE-2025-29927 was issued by GitHub at 18 Mar 2025 18:03:00 GMT.

Link to heading2025-03-21

CVE-2025-29927 was made public at 21 Mar 2025 10:17:00 GMT.

At this time, the only public details available were on the published CVE, which did not cover enough detail to understand the impact of the issue.

While we did verify Netlify and Cloudflare Workers were not impacted, we should have communicated this with their team. Further, we could have done a better job of proactive communication with other infrastructure providers and auth partners.

Link to heading2025-03-22

Because the CVE did not state immediately whether Vercel applications were impacted (it was later updated), we quickly published a changelog on Vercel stating customers were protected.

The changelog used the same template from our last resolution, which mentioned our Firewall. This was confusing and did not provide appropriate level of detail on the vulnerability itself.

We published a blog post on the Next.js site explaining the CVE in preparation for the full postmortem to come later, as well as sharing to official social channels.

Later that day, we published a backport for Next.js 13.5.9 at 22 Mar 2025 21:21:00 GMT. While this is outside of our now published LTS policy, we made an exception based on community feedback.

Link to heading2025-03-23

We published an additional backport for Next.js 12.3.5 at 23 Mar 2025 06:44:00 GMT.

Link to headingTechnical analysis

Middleware allows you to redirect, rewrite, or modify the incoming request before producing a response. Because of this, Middleware runs before caching and routing happens.

A pattern that some Next.js applications adopt is using middleware to optimistically verify a user's authentication state by checking cookies. If an auth cookie is set, you can early redirect to the logged-in application (or block specific routes). We do not recommend Middleware to be the sole method of protecting routes in your application.

Next.js uses an internal x-middleware-subrequest header to detect and prevent recursion—and bypass the execution of Middleware. Middleware happens separately from the rendering process of a page. Because of the Middleware running in a separate process, we had to leverage an internal header to signal to the routing process that the Middleware had already run when doing a fetch to the app from inside the Middleware.

Read more about the vulnerability details from the reporter.

Link to headingNext Steps

  • Partner mailing list: To help us more proactively work with partners depending on Next.js, and other infrastructure providers, we are opening a partner mailing list. Please reach out to partners@nextjs.org to be included.

  • Simplify how issues get reported: We have consolidated security@vercel.com and responsible.disclosure@vercel.com to only use GitHub’s private vulnerability reporting for Next.js. This will help us triage incoming reports more effectively.

  • Improved process: We are improving how our teams can respond to disclosures and enhancing our run books for Next.js vulnerabilities. Specifically, how we triage reports from open-source to frameworks like Next.js, and the working relationship between our security engineers and the Next.js team.

  • Long Term Support (LTS) policy: We have published an LTS policy to outline which versions are actively supported with patches.

  • Deployment adapters: This vulnerability relied on an internal header that was undocumented. As we work on implementing an official deployment adapters API with partners like Netlify and Cloudflare, we will ensure we document those internal headers or replace them with an appropriate API.

  • Security assessment: We are further investigating if there are additional places to improve the security of Middleware. All subsequent issues uncovered will follow the new CVE process.

Link to headingAcknowledgments

Thank you to security researchers Rachid Allam (zhero) and Yassir Alam (inzo_) for responsibly disclosing this issue to our team. These researchers were awarded payouts as part of our bug bounty program.