Next.js: Critical gap allows web apps to be compromised
Attackers can abuse a vulnerability in Next.js to bypass authorization. Updates are available.
(Image: Gorodenkoff/Shutterstock.com)
There is a critical security vulnerability in the React framework Next.js. It allows attackers to bypass authorization checks under certain circumstances and thus compromise web apps. Updated packages are available to patch the vulnerability.
Over the weekend, the Next.js developers at Vercel published a security release with information about the vulnerability. According to this, Next.js uses the internal heaader x-middleware-subrequest to ensure that recursive requests do not trigger infinite loops. A security report has shown that it was possible to bypass “middleware”, allowing requests to skip critical checks such as an authorization cookie check and reach “routes” directly (cve-2025-29927, CVSS 9.1, risk “critical”).
Next.js: Affected environments
Self-hosted applications that use “middleware” are vulnerable. The Next.js developers add: “next start” with “standalone” output. Those who rely on “middleware” for authentication or for security checks in the app are also affected. The hosted versions of Vercel, Netify or apps that are set up as static exports and do not run “middleware”, on the other hand, are not vulnerable.
The versions Next.js 15.2.3, 14.2.5, 13.5.9 and 12.3.5 correct the security-relevant errors. If patching to a secure version is not possible, admins should prevent user requests containing x-middleware-subrequest from reaching the Next.js app. Apps that use Cloudflare can activate a Managed Web Application Firewall (WAF) rule, for example, the Next.js developers explain.
The developers have collected instructions and tips for the upgrade process to support IT managers. As the vulnerability is classified as a critical risk, the update should be carried out quickly.
(dmk)