Vercel screwed up (breaking down the Next.js CVE)

preview_player
Показать описание
NextJS just had a 9.1 level critical security vulnerability. Middleware could be bypassed exposing thousands of apps, this is really really bad right? Well there's a bit more to it...

SOURCES

S/O Ph4se0n3 for the awesome edit 🙏
  1. Theo - t3․gg
  2. web development
  3. full stack
  4. typescript
  5. javascript
  6. react
Рекомендации по теме
Why is everyone 0:10:07

Why is everyone beefing with Vercel?

next.js situation is 0:04:40

next.js situation is overblown.

How to Fix 0:24:09

How to Fix Common Next.js & Vercel Deployment Errors | Step-by-Step Guide

Is 'edge' computing 0:08:14

Is 'edge' computing really faster?

How to Deploy 0:02:56

How to Deploy a Website on Vercel

Serverless was a 0:03:48

Serverless was a big mistake... says Amazon

Nextjs 13 Using/Hiding 0:09:39

Nextjs 13 Using/Hiding Environmental Variable while Hosting on Vercel

Why Linus Torvalds 0:02:43

Why Linus Torvalds doesn't use Ubuntu or Debian

How Core Web 0:17:28

How Core Web Vitals Will Impact Google Rankings in 2021

You Can Unblock 0:00:21

You Can Unblock Websites On School Chromebook?! 😳 #chromebook #schoolhacks

Tailwind Nextjs application 0:10:02

Tailwind Nextjs application with Firebase using Vercel with Environmental Variables - Part 7

How I reduced 0:15:30

How I reduced 90% errors for my Cursor (+ any other AI IDE)

Vercel AI SDK 0:59:52

Vercel AI SDK Masterclass: From Fundamentals to Deep Research

How to unblock 0:00:09

How to unblock Websites on School Computer

Project 1 | 0:00:52

Project 1 | Ananth Prathap | https://portfolio-rho-vert-66.vercel.app/

Vercel v0 vs 0:08:09

Vercel v0 vs Claude Sonnet – Product Hunt

How To Deploy 0:20:09

How To Deploy Any Web Application In 15 Minutes Tutorial | VPS + Coolify Combo

Environment Variables in 0:01:50

Environment Variables in VITE + REACT | add .env file to Vite App @howdevyou

I Try WunderGraph 1:49:18

I Try WunderGraph - 'The Vercel for Backend'

Housemate using AI 0:00:13

Housemate using AI to cheat during job interview #jobapplication #AI #joboffer #fail

STOP Fetching Data 0:33:30

STOP Fetching Data the Wrong way in Next.js! (DAL, Cache etc.)

Advanced Row Level 0:23:21

Advanced Row Level Security (RLS) Policies // Authorization Deep Dive

How to build 1:14:59

How to build your AI App with Cursor, Firebase, Vercel (Full Tutorial)

How to host 0:00:23

How to host your website for free 🔥🔥 #coding #github #webhosting #valentinespecial #css #html

Комментарии
Автор

my app was vulnerable because it used clerk for authentication and authorization, where the user admin role was checked in the middleware (using the example showed in the clerk docs) and the request was allowed or denied depending on the route starting with /admin (both for the UI pages and the API routes), basically it was vulnerable because i followed the clerk docs lol

igoralmeida
Автор

Just listened to the first statement and had to comment. You missed a crucial point from these security researchers, cache poisoning (CPDoS). Sure an app wouldn't be vulnerable via middleware because all sensitive routes and API calls should be protected via auth checks, but cache isn't.

They have a simple repro where you could literally make an entire region for example all paths under locale /en (default locale) return 404 as its rewritten in middleware from "/". Effectively downing an entire website. So yeah its pretty vulnerable.

philheathslegalteam
Автор

If nextJS uses middleware in a completely different way than the rest of the industry that’s on them. No reasonable dev would expect this to be the case

isakgustavsen
Автор

"get this removed. It is not accurate"
These docs were initially written as they were because "Authentication and Authorization" was an intended application of middleware.
It seems like this is an implementation issue, not a wording issue. Next.js failed to implement a middleware solution that solves the problems it set out to solve.

ge_onn
Автор

If you go to better-auth, their docs tell you to use middleware for auth check. So im confused by your statement that i shouldnt that

gonzalosanchez
Автор

I mean... even if it's named as route interceptor in the first place, it still shouldn't get bypassed. So, is this really about naming?

kennithtse
Автор

It s incredible that Theo managed to react even slower than Vercel

FIash
Автор

The "it's named wrong" defense makes no sense and seems like it could be applied in post to any issue to downplay the seriousness of it.

thishandleisntavailable
Автор

Am I understanding the issue right? Vercel offers a middleware layer that runs before a request is passed to its route; auth is often added via middleware in other frameworks. But if you pass a header in your request you can bypass certain middleware?

How is that not a vulnerability? Saying "oh they shouldn't have named it middleware" is a laughable defence

bertrodgers
Автор

18:54 was the whole vercel team flying for 10+ days? crazy

amine
Автор

CVSS 9.1 is not an over-statement. Already enough to justify by: 1) Impact Scope: Every NextJS app, 2) Consequence: Potentially leaking REAL serious secrets or even admin control.
But I think more importantly, if a framework can't guarantee middleware will be executed as expected, so is to await auth(). No matter how many you add it in your app, there is no guarantee that you are safe, just because of the pure complexity nature of client-mix-server-mix-edge thing, plus the magic NextJS uses to try to hide it from user.
We are just lucky on not discovering the vulnerability of "await auth() in component" yet.

nakamuragames
Автор

tbf it's not really the researchers fault he thought it was used for auth if the docs literally said that

RemotHuman
Автор

"No one should be using Next.js' middleware for auth anyway. And if they do they'd likely have other security issues. Therefore, the vulnerability isn't that bad."

Congrats on the gold medal for mental gymnastics.

alebelcor
Автор

I don't understand the hate for static pages behind auth. Maybe my backend brain is too grug to understand but how the content is created (static/dynamic) doesn't change how its accessed? Like if you CDN is allowing you to access content you shouldn't be allowed to, idc how that content was created, just lock it down. Is the argument that dynamic content doesn't get cached in the CDN so its one less place for it to be? But then you can set Cache-Control: no-cache headers on static content too, right?

stephenreaves
Автор

Should i learn next js now? I'm confused, people keep saying everybody is moving away from next.js

mixedmesh
Автор

my man finally did a convex sponsored video

WebDevCody
Автор

NextJS middleware has given me so many headaches because I was trying to use it as.. well .. middleware. Once I figured out it's borderline useless (outside very limited use cases) I completely liberated myself from it and my dev experience improved. Not as much as it would have improved if next had real middleware tho.

nasko
Автор

JS dev safe code challenge (impossible)

Dr-Zed
Автор

Experienced framework dev here.

Trusting data in HTTP headers between middleware steps (regardless of whether it's "traditional" middleware or not) is the issue at hand here.

It's a fairly significant mistake. If you need to pass internal messages using headers in a middleware stack, they MUST be internally validated with some sort of secret.

Everything else in this video is secondary. They should probably be named something else for clarity, and the docs definitely need to be better.. but if your framework isn't doing basic input validation in an early stage critical path, you can't trust what happens after that.

betterthanclay
Автор

Taking one of your statements to extreme: NextJS as a set of primitives one composes? Are you really suggesting we should have a metaframework for metaframework just so that developers can develop and not create their own frameworks?

tomasporemba
join shbcf.ru