This repository contains a sample Next.js application that demonstrates the authorization bypass vulnerability in Next.js Middleware (GHSA-f82v-jwr5-mffw). The vulnerability was present in Next.js version 13.5.6 and fixed in version 13.5.9.
CVE ID: CVE-2023-46298
Vulnerability: Authorization Bypass in Next.js Middleware
Affected Version: Next.js 13.5.6
Fixed Version: Next.js 13.5.9
GitHub Security Advisory: GHSA-f82v-jwr5-mffw
Severity: Medium
In Next.js 13.5.6, there is a vulnerability in the middleware that allows bypassing authorization checks by manipulating the URL. The middleware is supposed to protect routes like /protected and /admin, but due to the vulnerability, these routes can be accessed even without authentication by using specific URL patterns.
- Node.js 16 or later
- npm or yarn
-
Clone the repository:
git clone https://github.com/yourusername/vulnerable-nextjs-app.git cd vulnerable-nextjs-app -
Install dependencies:
npm install -
Run the development server:
npm run dev -
Open http://localhost:3000 in your browser to see the application.
- Docker
-
Build the Docker image:
docker build -t vulnerable-nextjs-app . -
Run the Docker container:
docker run -p 3000:3000 vulnerable-nextjs-app -
Open http://localhost:3000 in your browser to see the application.
To fix the Next.js middleware vulnerability, update Next.js to version 13.5.9 or later in the package.json file:
"dependencies": {
"next": "13.5.9",
"react": "^18.2.0",
"react-dom": "^18.2.0"
}