Exploit for Incorrect Authorization in Vercel Next.Js CVE-2025-29927

Name: Exploit for Incorrect Authorization in Vercel Next.Js CVE-2025-29927
Rating: 5 (87 reviews)
2026-04-24 | CVSS 9.1
## https://sploitus.com/exploit?id=307F6057-E507-5030-AFAF-C14D4A44410B
# ALPR Dashboard runtime patches

Two drop-in patches for the [algertc/alpr-dashboard](https://github.com/algertc/ALPR-Database) Docker project. Both are deployable without modifying or rebuilding the upstream image.

## What's here

### [`logger-fix/`](./logger-fix/) — async logger + cleanup throttle

Replaces the built-in sync log transport (full-file read + rewrite on every log call) with an `appendFileSync`-per-call writer and a once-per-minute deferred trim. Also rate-limits the per-POST image-cleanup scan.

Measured impact (130 KB base64 image payload, matching real Blue Iris alerts): sustained plate-read rates that made the original server unresponsive (0 of 60 POSTs completed per test window) now run with flat CPU and full throughput.

Full surface plot and raw data in [`logger-fix/perf/`](./logger-fix/perf/).

### [`middleware-exploit-mitigation/`](./middleware-exploit-mitigation/) — CVE-2025-29927 nginx overlay

The shipped image uses Next.js 15.0.3, which is vulnerable to [CVE-2025-29927](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (CVSS 9.1, auth bypass via `x-middleware-subrequest` header). Fixed upstream in Next.js >= 15.2.3, but unpatchable without updating the upstream image.

This patch drops an `nginx:alpine` sidecar in front of the app that strips the bypass header on every proxied request. No app changes, no image rebuild.

## Why not a PR upstream?

- The logger fix is a runtime monkey-patch, tied to an internal flag (`global.__loggerInitialized`) and to `fileStorage.cleanupOldFiles`'s use of `fs/promises.readdir`. It works today against the current `logger.js` and storage code but isn't the "right" fix — the right fix is to replace `LimitedLineTransport` with a non-blocking implementation in the upstream code. This patch is a way to run safely until that happens.
- The CVE mitigation is a deployment-layer concern, not a code change. It belongs in a compose overlay, not in the app image.

Both patches are easy to install and easy to revert, independently of upstream releases.

## Compatibility

Tested against `algertc/alpr-dashboard:latest` as of 2026-04. Pin to a known-good image tag for stability; the logger patch in particular depends on implementation details that could drift with upstream changes.

## License

MIT — see [`LICENSE`](./LICENSE).