Summary: Next.js has identified and addressed a critical security vulnerability (CVE-2025-29927) related to authorization bypass in its middleware, which could allow unauthorized access to protected resources. The issue, impacting many users of the framework, has been rated with a high CVSS score of 9.1. Developers are urged to upgrade to the patched versions or implement immediate workarounds to mitigate potential risks.
Affected: Next.js framework
Keypoints :
- CVE-2025-29927 presents a serious flaw in Next.js middleware that allows bypassing authorization checks.
- Patched versions are available: Next.js 15.x (15.2.3) and 14.x (14.2.25); upgrading is crucial for security.
- A workaround for older Next.js versions involves blocking requests with the x-middleware-subrequest header, but full upgrades are recommended.
Source: https://securityonline.info/urgent-patch-your-next-js-for-authorization-bypass-cve-2025-29927/