The article addresses a critical vulnerability (CVE-2025-29927) in Next.js, affecting versions 11.1.4 through early 15.x, which allows attackers to bypass middleware checks using the x-middleware-subrequest header. Managed hosts like Vercel remain unaffected; however, self-hosted applications that rely on middleware for access control are at substantial risk. The vulnerability is rated with a CVSS score of 9.1, indicating its severity. To mitigate risks, users are advised to upgrade to the latest patched versions or implement direct authentication checks in their applications.
The CVE-2025-29927 vulnerability in Next.js allows unauthenticated users to bypass critical middleware authorization checks by manipulating the x-middleware-subrequest header.
Discovered by researchers zhero and inzo, the critical Next.js vulnerability affects versions from 11.1.4 up to, but not including, patched releases like 13.5.6.
Collection
[
|
...
]