CVE-2025-29927: Next.js Middleware Auth Bypassed via Internal Header Exploit

·1 views

A critical vulnerability tracked as CVE-2025-29927 affects Next.js versions prior to 15.2.3, allowing attackers to bypass middleware-based authentication entirely. The flaw stems from an internal header, x-middleware-subrequest, which Next.js uses to prevent middleware from executing repeatedly during subrequests. Because the framework never verifies whether this header originates from an internal source, any external HTTP client can send it with the middleware module name repeated five times to skip middleware execution. This grants unauthenticated access to protected pages that rely solely on middleware for auth checks, exposing sensitive data without any credentials. Developers are advised to upgrade to Next.js 15.2.3 or later and implement server-side authentication checks directly within route handlers and page components as an additional security layer.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Developer Launches Softchic, a Premium Template Marketplace Built on Next.js 14

A developer known as Delight has begun building Softchic, a premium website template and ready-made site marketplace targeting developers and businesses. The platform is being built using Next.js 14, TypeScript, Tailwind CSS v4, and shadcn/ui components, with payments handled via Lemon Squeezy and Paystack. In its first week, the project has completed a waitlist page, responsive navbar, email capture form, brand identity, and payment architecture. The founder aims to attract 200 waitlist subscribers before officially opening the store, with a planned launch window of July 18–20, 2026. A product listing page, template preview system, and a first SaaS landing page template are among the next milestones planned.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Active Inference Technique Lets AI Agents Develop Curiosity Without Explicit Programming

A developer built a small AI agent using active inference, a brain-inspired approach where the agent tries to minimize surprise rather than simply chase rewards. Unlike conventional reward-seeking agents, this agent independently chooses to gather information before acting, because uncertainty itself carries a cost in its decision-making. In a simple door-choice task where a hint reveals the correct answer, the active inference agent achieved 100% success compared to 48% for a standard reward-chasing agent across 400 attempts. The agent was never instructed to check the hint — it did so because resolving uncertainty was inherently valuable to its goal. The developer notes this approach could address a longstanding AI challenge of getting agents to explore new situations without manually programming exploration incentives.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Developer Uses Classic Child Psychology Test to Show AI Agents Need Theory of Mind

Software engineer Shridhar Shah built two AI agents to demonstrate how 'theory of mind' — the ability to track what others believe versus what is actually true — affects agent performance. The experiment is based on the Sally-Anne false-belief test, a well-known child psychology benchmark in which children must distinguish their own knowledge from another person's mistaken belief. Shah's first agent, which only tracks objective reality, incorrectly predicts where Sally will look for a moved marble, mirroring the reasoning of a three-year-old. His second agent maintains separate belief states for each person, updating them only when that person is present to witness an event, allowing it to answer correctly. Shah argues this capability is foundational for AI agents working collaboratively with humans or other agents, enabling better task delegation, targeted explanations, and fewer faulty assumptions.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

AI Agent With 'Sleep' Phase Achieves 100% Recall vs 75% Without It

A developer has built a 90-line demo showing that an AI agent programmed to undergo a sleep-like memory consolidation phase significantly outperforms one that does not. Inspired by 2026 research exploring offline processing for language models, the experiment simulates 30 days of noisy data input where roughly one in five facts is intentionally incorrect. The sleeping agent reviews and tallies each day's raw notes into a compact long-term summary before clearing the log, allowing it to outvote occasional bad data over time. In contrast, the no-sleep agent retains only the last ten messages, causing older information to be lost and making it vulnerable to recent misinformation. The project argues that tidier, consolidated memory is a more efficient solution to AI recall limitations than simply expanding context windows.

0 comments Read more at DEV Community