A critical security vulnerability has been identified in Next.js, the popular React framework, which could allow attackers to bypass authorization checks implemented in middleware. The vulnerability tracked as CVE-2025-29927, carries a severe CVSS v3 score of 9.1 out of 10.
The security flaw affects multiple versions of Next.js, including versions 11.1.4 through 13.5.6, versions 14.0 to 14.2.24, and versions 15.0 to 15.2.2. According to the GitHub Advisory Database, the vulnerability permits unauthorized access to protected resources when authorization logic is implemented within middleware components.
Security researchers Allam Rachid (known as "zhero") and Allam Yasser (known as "inzo_") discovered and reported the vulnerability. The technical nature of the exploit involves manipulating the "x-middleware-subrequest" header to circumvent security checks.
Vercel, the company behind Next.js, has released patches to address the issue. Users of Next.js 15.x should upgrade to version 15.2.3, while those using version 14.x should update to 14.2.25. A workaround has been provided for users unable to update immediately: block external user requests containing the "x-middleware-subrequest" header from reaching Next.js applications.
The CVSS base metrics reveal the severity of this vulnerability, indicating it requires no special privileges, user interaction, or complex attack vectors to exploit. The potential impact includes high risk to both the confidentiality and integrity of affected applications.
This vulnerability is particularly concerning for applications relying on middleware to handle authentication and authorization flows. Web application developers using Next.js are strongly encouraged to update their dependencies as soon as possible to mitigate this risk.
The fix has been implemented in GitHub commits 52a078d and 5fd3ae8 to the Next.js repository, and further details about the vulnerability can be found under GHSA-f82v-jwr5-mffw or by visiting the National Vulnerability Database entry.