Summary: A critical vulnerability (CVE-2025-29927) has been identified in the Next.js framework, allowing attackers to bypass crucial authorization checks. This flaw affects all versions prior to specific updates and can be exploited by sending a specially crafted request. Users are advised to upgrade their installations immediately to mitigate risks.
Affected: Next.js framework
Keypoints :
- A vulnerability allows attackers to bypass middleware authorization checks by using a specific header in requests.
- The flaw impacts Next.js versions before 15.2.3, 14.2.25, 13.5.9, and 12.3.5.
- Applications hosted on Vercel or Netlify, or deployed as static exports, are not affected.
- Blocking external requests with the ‘x-middleware-subrequest’ header may be a temporary mitigation strategy until updates can be applied.