Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

Project: Next.jsVersion: 2022-September-07Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.
The current implementation doesn’t sufficiently check access for fetching data. All requests made to Drupal are authenticated using a single scope with elevated content access. Users without access to content could be exposed to unauthorized content.Solution: If you use the Next.js module for Drupal 9.x:

  1. Upgrade to version v1.3.0.
  2. Edit the Next.js user and assign all roles that can be used as scopes. The granted roles will be filtered based on roles assigned to the current user.

See the upgrade guide at By: 

Fixed By: 

Coordinated By: 

Path to article