Summary: A critical security vulnerability (CVE-2025-29927) has been identified in the Next.js React framework, allowing attackers to bypass authorization checks. The flaw is prompted by the handling of the internal header x-middleware-subrequest, which can cause middleware to be skipped. Users are advised to patch their systems or implement protective measures against requests carrying this header.
Affected: Next.js framework
Keypoints :
- The vulnerability has a CVSS score of 9.1 out of 10.0, indicating its severity.
- Affected users should update to versions 12.3.5, 13.5.9, 14.2.25, or 15.2.3 to mitigate the risk.
- In the absence of immediate patching, users should block requests containing the x-middleware-subrequest header.
- The flaw was discovered by security researcher Rachid Allam, raising urgency for applying fixes.
- Exploitation of the flaw could lead to unauthorized access to sensitive resources, including admin pages.
Source: https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html