Programmer’s Digest #127
03/19/2025-03/26/2025 Update Next.js, Critical Ingress NGINX Controller Vulnerability, Authentication Bypass in VMware Windows Tools And More.
1. Warning For Developers, Web Admins: Update Next.js to Prevent Exploit
Developers using Next.js should install a security update to fix a critical vulnerability, CVE-2025-29927, which allows authorization bypass if the “middleware” function is enabled. This poses a serious risk for applications relying on middleware for security checks. This vulnerability allows a trivial authentication bypass. Attackers could exploit it by logging in as regular users and tampering with security controls, potentially gaining admin access. All Next.js versions from 11.1.4 onward are affected. Users should upgrade to 15.2.3 (for 15.x) or 14.2.25 (for 14.x).
Applications hosted on Vercel or Netlify, or those not using middleware, are unaffected. If patching isn’t possible, Vercel advises blocking external requests with the x-middleware-subrequest header. Ullrich noted that similar vulnerabilities have appeared in other commercial tools.
2. Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication
Five critical vulnerabilities, dubbed IngressNightmare, have been found in the Ingress NGINX Controller for Kubernetes, exposing over 6,500 clusters to unauthenticated remote code execution. Assigned a CVSS score of 9.8, these flaws allow attackers to access all secrets across namespaces, potentially leading to cluster takeover. The vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, CVE-2025-1974) exploit the admission controller, which lacks authentication and is accessible over the network. Attackers can inject arbitrary NGINX configurations via malicious ingress objects, executing code within the controller pod.
Cloud security firm Wiz warns that 43% of cloud environments are at risk. The Kubernetes Security Response Committee has patched the flaws in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7.
Admins should update immediately and ensure the admission webhook endpoint is not publicly exposed to mitigate risks.
3. Broadcom Warns of Authentication Bypass in VMware Windows Tools
Broadcom released security updates to fix a high-severity authentication bypass flaw (CVE-2025-22230) in VMware Tools for Windows. This vulnerability, caused by improper access control, allows local attackers with low privileges to gain high privileges on vulnerable VMs. “A malicious actor with non-administrative privileges on a Windows guest VM may perform certain high-privilege operations,” VMware warned in a security advisory.
Earlier this month, Broadcom patched three VMware zero-days (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) exploited in attacks. Shortly after, over 37,000 VMware ESXi instances were found exposed to CVE-2025-22224.
4. Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories’ CI/CD Secrets Exposed
A supply chain attack on the GitHub Action “tj-actions/changed-files” initially targeted Coinbase’s open-source project, agentkit, before expanding. The attacker compromised the GitHub Action to leak repository secrets, earning CVE-2025-30066 (CVSS 8.6).
Endor Labs found 218 repositories exposed secrets, including credentials for DockerHub, npm, AWS, and GitHub tokens. Another compromised GitHub Action, “reviewdog/action-setup” (CVE-2025-30154), enabled attackers to modify “tj-actions/changed-files,” affecting all dependent repositories.
The attacker used obfuscation techniques, including dangling commits and temporary accounts, to evade detection. While GitHub found no evidence of a platform compromise, the attack suggests deep knowledge of CI/CD security.
Initially targeting Coinbase, the attacker may have shifted to a broader campaign after Coinbase mitigated the threat. The motive remains unclear but is likely financial, possibly involving cryptocurrency theft. Coinbase has since remediated the attack.
5. CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation
CISA has added a high-severity flaw in NAKIVO Backup & Replication (CVE-2024-48248, CVSS 8.6) to its Known Exploited Vulnerabilities (KEV) catalog. The path traversal bug allows unauthenticated attackers to read sensitive files, including stored credentials. It affects versions before 10.11.3.86570 and was patched in v11.0.0.88174.
Two other vulnerabilities were also added:
- CVE-2025-1316 (CVSS 9.3): A remote code execution flaw in Edimax IC-7100 IP cameras, exploited to deploy Mirai botnet variants. (Unpatched)
- CVE-2017-12637 (CVSS 7.5): A directory traversal flaw in SAP NetWeaver AS Java, used to steal sensitive SAP system files, potentially leading to full system compromise.
Federal agencies must apply mitigations by April 9, 2025. SAP cybersecurity firm Onapsis reports active exploitation of CVE-2017-12637, with attackers leveraging it to extract privileged credentials and gain full access to vulnerable SAP applications.