do son 
Next.js, the popular React framework empowering developers to build full-stack web applications with speed and efficiency, has recently addressed a significant security vulnerability. Used by a vast array of companies, including some of the world’s largest, Next.js is known for “enabling you to create full-stack web applications by extending the latest React features, and integrating powerful Rust-based JavaScript tooling for the fastest builds.” However, a recently disclosed security advisory reveals a critical authorization bypass issue that demands immediate attention from developers.
The advisory, tracked as CVE-2025-29927 with a concerning CVSS score of 9.1, highlights a flaw within Next.js middleware. According to the advisory, “It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.” This means that malicious actors could potentially gain unauthorized access to protected resources and functionalities within applications relying on middleware for authentication and authorization.
Middleware in Next.js plays a crucial role in intercepting and handling requests before they reach the application’s routes. It’s a common practice to implement authorization logic within middleware to ensure only authenticated and authorized users can access specific parts of an application. The newly discovered vulnerability allows attackers to circumvent these checks, potentially leading to severe consequences like data breaches, unauthorized actions, and service disruption.
The Next.js team has swiftly addressed CVE-2025-29927 by releasing patched versions. The security advisory clearly states the necessary updates:
If your project utilizes either of these major versions, upgrading to the specified patch level is the most crucial step to mitigate this vulnerability.
For those still running older versions of Next.js, specifically Next.js versions 11.1.4 thru 13.5.6, applying the latest patches might not be a direct option. In such cases, the advisory provides a vital workaround: “If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.” This header is apparently a key component in exploiting the vulnerability, and blocking requests containing it can provide a temporary layer of protection. However, it’s crucial to understand that this workaround might have implications for certain application functionalities and a full upgrade to a patched version should remain the ultimate goal.
Related Posts:
- js Vulnerability CVE-2024-46982: Cache Poisoning Exploit Threatens Deployments
- CVE-2024-51479: Next.js Authorization Bypass Vulnerability Affects Millions of Developers
- js Patches Denial-of-Service Vulnerability (CVE-2024-56332) in Server Actions
- CVE-2024-34350 & CVE-2024-34351: Two Vulnerabilities Patched in Popular Next.js Framework
- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog
