Install the latest version to close critical authorization bypass vulnerability.
Developers and web admins using the Next.js framework for building or managing interactive web applications should install a security update to plug a critical vulnerability.
The vulnerability, CVE-2025-29927, allows an authorization bypass if the โmiddlewareโ function is enabled for linking to a service. This vulnerability is critical if the middleware that Next.js is connecting to performs security functions such as authorization, access control, or checking if session cookies are valid.
โThis vulnerability would allow you to by-pass that check,โ noted Johannes Ullrich, dean of research at the SANS Institute.
โIf you are affected, it basically allows a very trivial authentication bypass,โ he said. If Next.js is used on an e-commerce site, for example, all a threat actor would have to do is log in as a regular customer and they could explore the companyโs use of the framework, then tamper with security controls.
โYou can access things like admin features that are supposed to be authorized just by adding a simple header [to bypass security],โ he said.
According to researchers Rachid A and Yasser Allam, who discovered the hole, โthe impact is considerable, with all versions affected and no preconditions for exploitability.โ
All versions of Next.js starting with version 11.1.4 are vulnerable. Developers and admins should immediately make sure that their installation of Next.js 15.x uses version 15.2.3. Those who want to stay on version 14.x should upgrade to 14.2.25.
Not affected are on-prem applications that donโt invoke the โmiddlewareโ command (next startย with output:ย standalone), or applications hosted on Vercel โ which develops Next.js โ or Netlify.
Vercel recommends that, if patching to a safe version is not feasible, admins should prevent external user requests which contain the x-middleware-subrequestย header from reaching the Next.js application.
While Next.js is an open source tool, Ullrich said that commercial tools have had similar vulnerabilities in headers that could be spoofed by an attacker.
โItโs really a vulnerability in the way modern web applications are built, particularly if they target cloud deployments,โ he said. โThey are often built with different components that hand requests back and forth to find the answer to a userโs request. Things like this are often used to short-cut or simplify authorization. But if itโs not done correctly you end up with these bypass vulnerabilities.โ
โThere are likely more vulnerabilities like this lingering in other [development] frameworks,โ he warned.
