Next.js has published a security advisory detailing an authorisation bypass vulnerability present in Next.js, a popular and open-source React-based web development framework that is used to build full-stack web applications in use in the UK and around the world. 

An attacker may be able to exploit this vulnerability by sending an external request to the system that the system treats as an internal request, bypassing authorisation checks and giving unauthorised access to sensitive data.

Proof-of-concept exploits for this vulnerability are widely and freely available.

The NCSC recommends following vendor best practice advice to mitigate vulnerabilities. In this case, if you use an affected product, you should take these priority actions: 

1. Update to one of the latest fixed versions listed on the vendor’s website at the earliest opportunity.

2. If updating to a fixed version is not feasible, the vendor has recommended that external user requests containing the “x-middleware-subrequest” header be blocked from reaching your Next.js application. This should be a temporary measure until updating to the latest version is possible.

3. Monitor logs for potential attacks, for example x-middleware-request  headers in external requests.

4. If you suspect a compromise, find out where to report by visiting gov.uk/report-cyber.