Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
Mar 24, 2025
Vulnerability / Web Security
A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions. The vulnerability, tracked as CVE-2025-29927 , carries a CVSS score of 9.1 out of 10.0. "Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops," Next.js said in an advisory. "It was possible to skip running middleware , which could allow requests to skip critical checks—such as authorization cookie validation—before reaching routes." It's worth noting that CVE-2025-29927 impacts only self-hosted versions that use "next start" with "output: standalone." Next.js apps hosted on Vercel and Netlify, or deployed as static exports, are not affected. The shortcoming has been addressed in versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. If patching is not an option, it's recommended that users prevent external user ...