A recently discovered vulnerability in Next.js could lead to trivial authentication bypass, affecting all versions of the framework. Security researchers suggest that this flaw can allow threat actors to log in as regular users on e-commerce sites and then access sensitive administrative features simply by modifying request headers. The absence of exploitability preconditions increases the risk associated with this vulnerability, underscoring its significant impact on web application security.
"If you are affected, it basically allows a very trivial authentication bypass," he said. If Next.js is used on an e-commerce site, for example, all a threat actor would have to do is log in as a regular customer and they could explore the company's use of the framework, then tamper with security controls.
"You can access things like admin features that are supposed to be authorized just by adding a simple header [to bypass security]," he said.
According to researchers Rachid A and Yasser Allam, who discovered the hole, "the impact is considerable, with all versions affected and no preconditions for exploitability."
Collection
[
|
...
]