Next.js Öмä¼þȨÏÞÈÆ¹ý©¶´(CVE-2025-29927)À´Ï®£¬mansion88Ã÷ÉýÌṩ½â¾ö·½°¸
·¢²¼Ê±¼ä 2025-03-25Next.js ÊÇÒ»¸ö»ùÓÚ React µÄÁ÷ÐÐ Web Ó¦Óÿò¼Ü£¬Ìṩ·þÎñÆ÷¶ËäÖȾ¡¢¾²Ì¬ÍøÕ¾Éú³ÉºÍ¼¯³É·ÓÉϵͳµÈ¹¦ÄÜ¡£
2025Äê3Ô£¬mansion88Ã÷Éý¼à¿Øµ½Next.js Öмä¼þȨÏÞÈÆ¹ý©¶´Ç鱨(CVE-2025-29927)£¬µ±ÔÚNext.jsÓ¦ÓÃÖÐʹÓÃmiddleware ʱ£¬ÔÚÇëÇóÍ·ÖмÓÈëÌØ¶¨µÄ x-middleware-subrequest ÇëÇóÍ·¼´¿ÉÈÆ¹ý middleware ÖеÄÂß¼¡£ÀýÈ統ʹÓà middleware ½øÐÐÉí·ÝÑéÖ¤ÓëÊÚȨ£¬¿ÉÀûÓøÃ©¶´ÈƹýÉí·ÝÑéÖ¤¡£¸Ã©¶´CVSSv3ÆÀ·Ö9.1£¬Â©¶´µÈ¼¶Îª¸ßΣ¡£

©¶´¸´ÏÖ½ØÍ¼

Ó°Ïì°æ±¾
15.* <= Next.js<15.2.3
14.* <= Next.js<14.2.25
11.1.4 <= Next.js <= 13.5.6
ÐÞ¸´½¨Òé
Ò»¡¢¹Ù·½ÐÞ¸´·½°¸£º
ÇëÊÜÓ°ÏìµÄÓû§¾¡¿ìÉý¼¶°æ±¾½øÐзÀ»¤£¬ÏÂÔØÁ´½Ó£º
https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
¶þ¡¢mansion88Ã÷Éý·½°¸£º
1¡¢mansion88Ã÷Éý¼ì²âÀà²úÆ··½°¸
ÌìãÙÈëÇÖ¼ì²âÓë¹ÜÀíϵͳ£¨IDS£©¡¢ÌìãÙ³¬Èںϼì²â̽Õ루CSP£©¡¢ÌìãÙÍþв·ÖÎöÒ»Ìå»ú£¨TAR£©¡¢ÌìÇåWEB°²È«Ó¦ÓÃÍø¹Ø£¨WAF£©¡¢ÌìÇåÈëÇÖ·ÀÓùϵͳ£¨IPS£©£¬Éý¼¶µ½×îа汾¼´¿ÉÓÐЧ¼ì²â»ò·À»¤¸Ã©¶´Ôì³ÉµÄ¹¥»÷·çÏÕ¡£
ʼþ¿âÏÂÔØµØÖ·£ºhttps://venustech.download.venuscloud.cn/
2¡¢mansion88Ã÷Éý©ɨ²úÆ··½°¸
£¨1£©¡°mansion88Ã÷Éý©¶´É¨ÃèϵͳV6.0¡±²úÆ·ÒÑÖ§³Ö¶Ô¸Ã©¶´½øÐÐɨÃè

£¨2£©mansion88Ã÷Éý©¶´É¨Ãèϵͳ608XϵÁа汾ÒÑÖ§³Ö¶Ô¸Ã©¶´½øÐÐɨÃè

3¡¢mansion88Ã÷Éý×ʲúÓë´àÈõÐÔ¹ÜÀíÆ½Ì¨²úÆ··½°¸
mansion88Ã÷Éý×ʲúÓë´àÈõÐÔ¹ÜÀíÆ½Ì¨ÊµÊ±²É¼¯²¢¸üÐÂÇ鱨ÐÅÏ¢£¬¶ÔÈë¿â×ʲúNext.js Öмä¼þȨÏÞÈÆ¹ý©¶´(CVE-2025-29927)½øÐйÜÀí¡£

4¡¢mansion88Ã÷Éý°²È«¹ÜÀíºÍÌ¬ÊÆ¸Ð֪ƽ̨²úÆ··½°¸
Óû§¿ÉÒÔͨ¹ýÌ©ºÏ°²È«¹ÜÀíºÍÌ¬ÊÆ¸Ð֪ƽ̨£¬½øÐйØÁª²ßÂÔÅäÖ㬽áºÏʵ¼Ê»·¾³ÖÐϵͳÈÕÖ¾ºÍ°²È«É豸µÄ¸æ¾¯ÐÅÏ¢½øÐгÖÐø¼à¿Ø£¬´Ó¶ø·¢ÏÖ¡°Next.js Öмä¼þȨÏÞÈÆ¹ý©¶´(CVE-2025-29927)¡±µÄ©¶´ÀûÓù¥»÷ÐÐΪ¡£
1£© ÔÚÌ©ºÏµÄƽ̨ÖУ¬Í¨¹ý´àÈõÐÔ·¢ÏÖ¹¦ÄÜÕë¶Ô¡°Next.js Öмä¼þȨÏÞÈÆ¹ý©¶´(CVE-2025-29927)¡±Â©¶´É¨ÃèÈÎÎñ£¬ÅŲé¹ÜÀíÍøÂçÖÐÊÜ´Ë©¶´Ó°ÏìµÄÖØÒª×ʲú£»

2£©Æ½Ì¨¡°¹ØÁª·ÖÎö¡±Ä£¿éÖУ¬Ìí¼Ó¡°L2_Next.js Öмä¼þȨÏÞÈÆ¹ý©¶´(CVE-2025-29927)¡±£¬Í¨¹ýmansion88Ã÷Éý¼ì²âÉ豸¡¢Ä¿±êÖ÷»úϵͳµÈÉ豸µÄ¸æ¾¯ÈÕÖ¾£¬·¢ÏÖÍⲿ¹¥»÷ÐÐΪ£º

ͨ¹ý·ÖÎö¹æÔò×Ô¶¯½«"L2_Next.js Öмä¼þȨÏÞÈÆ¹ý©¶´(CVE-2025-29927)"©¶´ÀûÓõĿÉÒÉÐÐΪԴµØÖ·Ìí¼Óµ½¹Û²ìÁÐ±í¡°¸ß·çÏÕÁ¬½Ó¡±ÖУ¬×÷ΪÄÚ²¿Ç鱨Êý¾ÝʹÓã»
3£©Ìí¼Ó¡°L3_Next.js Öмä¼þȨÏÞÈÆ¹ý©¶´(CVE-2025-29927)¡±£¬Ìõ¼þÈÕÖ¾Ãû³ÆµÈÓÚ»ò°üº¬¡°L2_Next.js Öмä¼þȨÏÞÈÆ¹ý©¶´(CVE-2025-29927)¡±£¬¹¥»÷½á¹ûµÈÓÚ»òÊôÓÚ¡°¹¥»÷³É¹¦¡±£¬Ä¿µÄµØÖ·ÒýÓÃ×ʲú©¶´»òÔ´µØÖ·Æ¥ÅäÍþвÇ鱨£¬´Ó¶øÌáÉý¹ØÁª¹æÔòµÄÖÃÐŶȡ£

4£©ATT&CK¹¥»÷Á´Ìõ·ÖÎöÓëSOAR´¦Öý¨Òé
¸ù¾Ý¶ÔNext.js Öмä¼þȨÏÞÈÆ¹ý©¶´(CVE-2025-29927)µÄ¹¥»÷ÀûÓùý³Ì½øÐзÖÎö£¬¹¥»÷Á´Éæ¼°¶à¸öATT&CKÕ½ÊõºÍ¼¼Êõ½×¶Î£¬¸²¸ÇµÄTTP°üÀ¨£º
TA0001-³õʼ·ÃÎÊ£ºT1190-ÀûÓÃÃæÏò¹«ÖÚµÄÓ¦ÓóÌÐò
TA0004-ȨÏÞÌáÉý£ºT1068-ÀûÓé¶´ÌáȨ
TA0010-Êý¾Ýй¶£ºT1041-ͨ¹ýC2ͨµÀÇÔÈ¡Êý¾Ý

ͨ¹ýÌ©ºÏ°²È«¹ÜÀíºÍÌ¬ÊÆ¸Ð֪ƽ̨ÄÚÖÃSOAR×Ô¶¯»¯»ò°ë×Ô¶¯»¯±àÅÅÁª¶¯ÏìÓ¦´¦ÖÃÄÜÁ¦£¬Õë¶Ô¸Ã©¶´ÀûÓõĸ澯ʼþ±àÅž籾£¬½øÐÐ×Ô¶¯»¯´¦Öá£


¾©¹«Íø°²±¸11010802024551ºÅ