CyberSecurity news

FlagThis - #cve

@ComputerWeekly.com //

Cybersecurity World on Edge; CVE Program Shutdown

The cybersecurity world is on edge as MITRE, the organization behind the Common Vulnerabilities and Exposures (CVE) program, faces a potential shutdown of the program due to expiring funding from the Department of Homeland Security (DHS). The CVE program is a cornerstone of global vulnerability management, providing a standardized system for identifying and tracking software flaws. This system allows companies, governments, and researchers to share information and coordinate their efforts to address cybersecurity risks.

A lapse in funding for the CVE program would have dire consequences for the cybersecurity landscape. Without a universal framework for tracking software flaws, coordinated disclosures across vendors and governments would become significantly more challenging. This breakdown in coordination would create chaos and uncertainty in vulnerability management, making it harder for organizations to protect themselves against cyberattacks. The potential shutdown of the CVE program is not just a tech industry issue, but a matter of national security.

According to Gary Miliefsky, publisher of Cyber Defense Magazine and a former advisory board member to the CVE/OVAL initiatives, MITRE has confirmed that funding for the CVE and CWE programs will expire on April 16, 2025. While historical CVE records will remain accessible on GitHub, active development, modernization, and oversight of the CVE and CWE systems are now at risk. MITRE has expressed its commitment to CVE as a global resource, but without adequate funding, the future of this essential cybersecurity tool remains uncertain.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Cyber Defense Magazine: MITRE CVE Program in Jeopardy
  • Tony Bradley: Cybersecurity World On Edge As CVE Program Prepares To Go Dark
  • Lukasz Olejnik: By cutting what amounts to penny costs, the Trump administration will effectively (temporarily) cripple the global cybersecurity system — CVE. It is a global system for identifying and tracking vulnerabilities that has served as a common language for companies, governments, and researchers worldwide since 1999. The consequence will be a breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they are referring to the same vulnerability. Total chaos.
  • RootWyrm ??:progress:: people, THIS is big and you need it in front of management RIGHT NOW. MITRE has informed the CVE board members that effective TONIGHT, funding to run CVE and CWE is effectively gone. The US federal government contracts MITRE to run these programs including both management, operations, and infrastructure. This not only could but almost certainly will result in disruptions to CVE and CWE including a halt of all operations if new contracts/funding are not secured.
  • Lukasz Olejnik: Farewell, CVE? What's next for cybersecurity?
  • bsky.app: By cutting what amounts to penny costs, the Trump administration will effectively (at least temporarily) cripple the global cybersecurity system — CVE.
  • Tenable Blog: MITRE CVE Program Funding Set To Expire
  • Jon Greig: CISA confirmed on Wednesday evening that will no longer be running the program as of tomorrow It is unclear whether they will find a new vendor or try to run it themselves.
  • www.csoonline.com: CVE program faces swift end after DHS fails to renew contract, leaving security flaw tracking in limbo
  • The Register - Security: Uncle Sam abruptly turns off funding for CVE program. Yes, that CVE program
  • securityonline.info: MITRE Warns of CVE Program Disruption as U.S. Contract Set to Expire
  • PCMag UK security: Nonprofit That Tracks Software Flaws in Jeopardy Following Funding Cuts
  • Metacurity: Here's my piece on the ending of the CVE contract. "Sasha Romanosky, senior policy researcher at the Rand Corporation, branded the end to the CVE program as 'tragic,' a sentiment echoed by many cybersecurity and CVE experts reached for comment."
  • www.nextgov.com: MITRE-backed cyber vulnerability program to lose funding Wednesday
  • x.com: Post discussing MITRE support for the CVE program expiring
  • www.cyberdefensemagazine.com: MITRE CVE Program in Jeopardy
  • securityonline.info: MITRE Warns of CVE Program Disruption as U.S. Contract Set to Expire
  • securityboulevard.com: MITRE CVE Program Funding Set To Expire
Classification:
Steve Zurier@scmagazine.com //

NIST to Defer Updates to Older Vulnerabilities

The National Institute of Standards and Technology (NIST) has announced that it will mark all Common Vulnerabilities and Exposures (CVEs) prior to January 1, 2018, as ‘deferred.’ This decision stems from the agency being overwhelmed by the surging volume of newly disclosed vulnerabilities and the agency will no longer prioritize updating National Vulnerability Database (NVD) enrichment for these older CVEs because of their age. This impacts a substantial number of CVEs, with estimates suggesting that over 94,000, or 34% of all CVEs, could be affected by this change. Despite this shift, NIST has stated it will continue to accept and review requests to update the metadata for these CVE records and prioritize updates if new information indicates it's appropriate, as time and resources allow.

This move has sparked concerns within the cybersecurity community. Many prolific cyber incidents have exploited older CVEs, like WannaCry, NotPetya, and the Colonial Pipeline attack. With limited resources, prioritizing newer vulnerabilities might protect a larger number of organizations. However, older vulnerabilities that are on the known exploited vulnerabilities KEV list will continue to be updated and worked on.

Experts are also worried about the potential for older CVEs to be revived using new AI-driven exploit techniques. Marc Gaffan, CEO of IONIX, noted the rapid advancement of AI capabilities and the concern that these techniques could catch organizations off guard, leaving them unprepared for re-emerging threats. Jon France, CISO at ISC2, emphasized the importance of keeping software patched and up-to-date. Despite the concerns, NIST's decision reflects the challenges of managing an ever-growing database of vulnerabilities with finite resources.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • www.scworld.com: NIST marks all CVEs prior to Jan. 1, 2018, as ‘deferred’
  • bsky.app: NIST gives up on enriching any CVE released before Jan 1, 2018
  • ComputerWeekly.com: NIST calls time on older vulnerabilities amid surging disclosures.
Classification:
@cyberalerts.io //

Critical Next.js Middleware Vulnerability

A critical vulnerability has been discovered in the widely-used Next.js framework, identified as CVE-2025-29927. This flaw allows attackers to bypass authorization checks within the framework's middleware system. Middleware is commonly used to enforce authentication, authorization, path rewriting, and security-related headers, making this vulnerability particularly severe. Vercel, the company behind Next.js, disclosed the issue on March 21st, 2025, highlighting its potential impact on services relying on vulnerable versions of the framework.

To mitigate the risk, developers using Next.js version 11 or higher are urged to update to the patched versions: 15.2.3, 14.2.25, 13.5.9, or 12.3.5. For those unable to immediately update, a temporary workaround involves blocking user requests with the 'x-middleware-subrequest' header. Some hosting platforms, like Vercel and Netlify, have already implemented this measure to protect their users. The vulnerability allows login screens to be bypassed without proper credentials, potentially compromising user data and sensitive information.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • securityonline.info: Urgent: Patch Your Next.js for Authorization Bypass (CVE-2025-29927)
  • Open Source Security: Re: CVE-2025-29927: Authorization Bypass in Next.js Middleware
  • isc.sans.edu: ISC SANS posting on the Next.js vulnerability
  • bsky.app: It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
  • Lobsters: How to find Next.js on your network
  • Strobes Security: When security vulnerabilities appear in popular frameworks, they can affect thousands of websites overnight. That’s exactly what’s happening with a newly discovered Next.js vulnerability, one of the most widely used...
  • securityaffairs.com: Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
  • Open Source Security: CVE-2025-29927: Authorization Bypass in Next.js Middleware
  • socradar.io: Next.js Middleware Vulnerability (CVE-2025-29927): What You Need to Know and How to Respond
  • thehackernews.com: Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
  • securityboulevard.com: CVE-2025-29927 – Understanding the Next.js Middleware Vulnerability
  • BleepingComputer: Critical flaw in Next.js lets hackers bypass authorization
  • Help Net Security: Help Net Security reports on the critical Next.js authentication bypass vulnerability.
  • cyberscoop.com: Researchers raise alarm about critical Next.js vulnerability
  • Legit Security Blog: Next.js Vulnerability: What You Need to Know
  • Resources-2: Discovered a critical vulnerability affecting Next.js middleware, tracked as CVE-2025-29927.
  • The DefendOps Diaries: Understanding and mitigating CVE-2025-29927: a critical Next.js vulnerability
  • Developer Tech News: Critical security flaw uncovered in Next.js framework
  • nsfocusglobal.com: Next.js Middleware Permission Bypass Vulnerability (CVE-2025-29927)
  • www.techradar.com: Critical security flaw in Next.js could spell big trouble for JavaScript users
  • infosec.exchange: : Critical in NextJS (CVE-2025-29927) impacts all NextJS versions before 15.2.3, 14.2.25, 13.5.9, 12.3.5 allowing attackers to bypass authorisation checks. Great explanation and a Proof-of-Concept demonstration by @_JohnHammond 👇
  • SOC Prime Blog: CVE-2025-29927 Next.js Middleware Authorization Bypass Vulnerability
  • Kali Linux Tutorials: CVE-2025-29927 : Next.js Middleware Authorization Bypass – Technical Analysis
  • DEVCLASS: Next.js team fixes vuln that allows authorization bypass when middleware is used, revises documentation recommending this method
  • Rescana: Executive Summary The discovery of CVE-2025-29927 , a critical vulnerability in Next.js , has raised significant cybersecurity concerns...
  • Stormshield: A critical authentication bypass vulnerability impacting the Next.js middleware has been reported. It has been assigned the reference CVE-2025-29927 and a CVSS 3.1 score of 9.1. It should be noted that proof of concept are publicly available about this CVE-2025-29927 vulnerability.
  • Fastly Security Blog: CVE-2025-29927: Authorization Bypass in Next.js
  • hackread.com: Researchers have uncovered a critical vulnerability (CVE-2025-29927) in Next.js middleware, allowing authorization bypass. Learn about the exploit and fixes.
  • NCSC News Feed: The NCSC is encouraging UK organisations to take immediate action to mitigate a vulnerability (CVE-2025-29927) affecting the Next.js framework used to build web applications.
Classification:
  • HashTags: #NextjsVulnerability #Cybersecurity #CVE
  • Company: Next.js
  • Target: Next.js
  • Product: Next.js Framework
  • Feature: Middleware
  • Type: Vulnerability
  • Severity: Major

Posts

Blogs

Research Tools