{"id":1594261,"date":"2025-03-25T01:35:49","date_gmt":"2025-03-25T03:35:49","guid":{"rendered":"https:\/\/teknomers.com\/fr\/la-vulnerabilite-critical-next-js-permet-aux-attaquants-de-contourner-les-verifications-dautorisation-du-middleware\/"},"modified":"2025-03-25T01:35:54","modified_gmt":"2025-03-25T03:35:54","slug":"la-vulnerabilite-critical-next-js-permet-aux-attaquants-de-contourner-les-verifications-dautorisation-du-middleware","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/la-vulnerabilite-critical-next-js-permet-aux-attaquants-de-contourner-les-verifications-dautorisation-du-middleware\/","title":{"rendered":"La vuln\u00e9rabilit\u00e9 Critical Next.js permet aux attaquants de contourner les v\u00e9rifications d&#8217;autorisation du middleware"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">24 mars 2025<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><\/span><span class=\"p-tags\">Vuln\u00e9rabilit\u00e9 \/ s\u00e9curit\u00e9 Web<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/03\/La-vulnerabilite-Critical-Nextjs-permet-aux-attaquants-de-contourner-les.png\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>Une faille de s\u00e9curit\u00e9 critique a \u00e9t\u00e9 divulgu\u00e9e dans le cadre de r\u00e9action suivante.<\/p>\n<p>La vuln\u00e9rabilit\u00e9, suivie comme <strong><a rel=\"noopener nofollow\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-29927\" target=\"_blank\">CVE-2025-29927<\/a><\/strong>comporte un score CVSS de 9,1 sur 10,0.<\/p>\n<p>&#8220;Next.js utilise un en-t\u00eate interne en en-t\u00eate X-Middleware-Suquest pour emp\u00eacher les demandes r\u00e9cursives de d\u00e9clencher des boucles infinies&#8221; <a rel=\"noopener nofollow\" href=\"https:\/\/nextjs.org\/blog\/cve-2025-29927\" target=\"_blank\">dit<\/a> dans un avis. <\/p>\n<p>&#8220;Il a \u00e9t\u00e9 possible de sauter la course <a rel=\"noopener nofollow\" href=\"https:\/\/nextjs.org\/docs\/pages\/building-your-application\/routing\/middleware\" target=\"_blank\">middleware<\/a>ce qui pourrait permettre aux demandes de sauter des v\u00e9rifications critiques, comme la validation des cookies d&#8217;autorisation &#8211; avant d&#8217;atteindre les itin\u00e9raires. &#8220;<\/p>\n<p>Il convient de noter que le CVE-2025-29927 n&#8217;a aucun impact sur les versions auto-h\u00e9berg\u00e9es qui utilisent &#8220;Suivant Start&#8221; avec &#8220;Output: Standalone&#8221;. Les applications suivantes h\u00e9berg\u00e9es sur Vercel et Netlify, ou d\u00e9ploy\u00e9es comme des exportations statiques, ne sont pas affect\u00e9es.<\/p>\n<p>La lacune a \u00e9t\u00e9 abord\u00e9e dans les versions 12.3.5, 13.5.9, 14.2.25 et 15.2.3. Si le correctif n&#8217;est pas une option, il est recommand\u00e9 que les utilisateurs emp\u00eachent les demandes d&#8217;utilisateurs externes qui contiennent l&#8217;en-t\u00eate X-Middleware-Suquest d&#8217;atteindre l&#8217;application suivante.<\/p>\n<div class=\"dog_two clear\"><center class=\"cf\"><a rel=\"nofollow noopener sponsored\" href=\"https:\/\/thehackernews.uk\/cloud-secure-d\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybers\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/03\/Mozilla-met-a-jour-les-termes-de-Firefox-apres-le.jpg\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Le chercheur en s\u00e9curit\u00e9 Rachid Allam (alias Zhero et Cold-Try), qui est reconnu pour d\u00e9couvrir et signaler la faille, a depuis publi\u00e9 <a rel=\"noopener nofollow\" href=\"https:\/\/zhero-web-sec.github.io\/research-and-things\/nextjs-and-the-corrupt-middleware\" target=\"_blank\">D\u00e9tails techniques suppl\u00e9mentaires de la faille<\/a>ce qui rend imp\u00e9ratif que les utilisateurs se d\u00e9placent rapidement pour appliquer les correctifs. <\/p>\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/03\/1742873749_959_La-vulnerabilite-Critical-Nextjs-permet-aux-attaquants-de-contourner-les.png\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/03\/1742873749_959_La-vulnerabilite-Critical-Nextjs-permet-aux-attaquants-de-contourner-les.png\" alt=\"\" border=\"0\" data-original-height=\"1264\" data-original-width=\"3446\"\/><\/a><\/div>\n<p>&#8220;La vuln\u00e9rabilit\u00e9 permet aux attaquants de contourner facilement les v\u00e9rifications d&#8217;autorisation effectu\u00e9es dans le middleware suivant. <a rel=\"noopener nofollow\" href=\"https:\/\/x.com\/JFrogSecurity\/status\/1903798429651701843\" target=\"_blank\">dit<\/a>.<\/p>\n<p>La soci\u00e9t\u00e9 a \u00e9galement d\u00e9clar\u00e9 que tout site Web d&#8217;h\u00f4te qui utilise le middleware pour autoriser les utilisateurs sans aucune v\u00e9rification d&#8217;autorisation suppl\u00e9mentaire est vuln\u00e9rable au CVE-2025-29927, permettant potentiellement aux attaquants d&#8217;acc\u00e9der \u00e0 des ressources non autoris\u00e9es autrement (par exemple, les pages d&#8217;administration).<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant? Suivez-nous <a rel=\"noopener nofollow\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Gazouillement <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"noopener nofollow\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">Liendin<\/a> Pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2025\/03\/critical-nextjs-vulnerability-allows.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80224 mars 2025\ue804Ravie LakshmananVuln\u00e9rabilit\u00e9 \/ s\u00e9curit\u00e9 Web Une faille de s\u00e9curit\u00e9 critique a \u00e9t\u00e9 divulgu\u00e9e dans le cadre de r\u00e9action suivante. La vuln\u00e9rabilit\u00e9, suivie comme CVE-2025-29927comporte un score CVSS de 9,1 sur 10,0. &#8220;Next.js utilise un en-t\u00eate interne en en-t\u00eate X-Middleware-Suquest pour emp\u00eacher les demandes r\u00e9cursives de d\u00e9clencher des boucles infinies&#8221; dit dans un avis. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1594262,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[274266,274265,11865,507,4168,11696,118325,79002,274264,4161,274263,6124,121472,65,274267,128264,4160,289455,9701,238617,246491,4172,79016,43001,4166,3667,4164],"class_list":["post-1594261","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-actualites-de-piratage","tag-actualites-des-pirates","tag-attaquants","tag-aux","tag-comment-pirater","tag-contourner","tag-critical","tag-cyber-security-news","tag-cyber-security-news-aujourdhui","tag-cyber-mises-a-jour","tag-cyber-nouvelles","tag-cyberattaques","tag-dautorisation","tag-les","tag-malware-ransomware","tag-middleware","tag-mises-a-jour-de-la-cybersecurite","tag-next-js","tag-permet","tag-securite-de-linformation","tag-securite-du-reseau","tag-securite-informatique","tag-the-hacker-news","tag-verifications","tag-violation-de-donnees","tag-vulnerabilite","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1594261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=1594261"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1594261\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/1594262"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=1594261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=1594261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=1594261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}