A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.
The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0.
“Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops,” Next.js said in an advisory.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“It was possible to skip running middleware, which could allow requests to skip critical checks—such as authorization cookie validation—before reaching routes.”
The shortcoming has been addressed in versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. If patching is not an option, it’s recommended that users prevent external user requests that contain the x-middleware-subrequest header from reaching the Next.js application.
Security researcher Rachid Allam (aka zhero and cold-try), who is credited with discovering and reporting the flaw, has since published additional technical details of the flaw, making it imperative that users move quickly to apply the fixes.
“The vulnerability allows attackers to easily bypass authorization checks performed in Next.js middleware, potentially allowing attackers access to sensitive web pages reserved for admins or other high-privileged users,” JFrog said.
The company also said any host website that utilizes middleware to authorize users without any additional authorization checks is vulnerable to CVE-2025-29927, potentially enabling attackers to access otherwise unauthorized resources (e.g., admin pages).
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
GitHub Supply Chain Breach: Coinbase Attack Exposes 218 Repositories, Leaks CI/CD Secrets