AIKIDO-2025-10204
@opennextjs/aws is vulnerable to Authorization Bypass
91
Critical Risk
This Affects:
@opennextjs/awsTL;DR
Affected versions of this package are vulnerable to an authorization bypass due to improper validation of internal requests. The middleware exempts internal requests from authorization checks but fails to verify their authenticity, allowing attackers to spoof internal requests and bypass access controls. By crafting a request with a forged internal flag, an attacker can gain unauthorized access to protected routes or critical system functionalities.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@opennextjs/aws is vulnerable to Authorization Bypass in versions 2.3.0 - 3.5.3.
How to fix this
Upgrade the @opennextjs/aws library to the patch version.
Links
GitHub Releases
github.com/opennextjs/opennextjs-aws/releases/tag/v3.5.4github.com/vercel/next.js/releases/tag/v12.3.5github.com/vercel/next.js/releases/tag/v13.5.9Fix Commits
github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48Other
openwall.com/lists/oss-security/2025/03/23/3openwall.com/lists/oss-security/2025/03/23/4security.netapp.com/advisory/ntap-20250328-0002/
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant