"The CVE-2025-29927 vulnerability in Next.js allows unauthenticated users to bypass critical middleware authorization checks by manipulating the x-middleware-subrequest header."
"Discovered by researchers zhero and inzo, the critical Next.js vulnerability affects versions from 11.1.4 up to, but not including, patched releases like 13.5.6."
The article addresses a critical vulnerability (CVE-2025-29927) in Next.js, affecting versions 11.1.4 through early 15.x, which allows attackers to bypass middleware checks using the x-middleware-subrequest header. Managed hosts like Vercel remain unaffected; however, self-hosted applications that rely on middleware for access control are at substantial risk. The vulnerability is rated with a CVSS score of 9.1, indicating its severity. To mitigate risks, users are advised to upgrade to the latest patched versions or implement direct authentication checks in their applications.
Read at LogRocket Blog
Unable to calculate read time
Collection
[
|
...
]