Critical security flaw in Next.js could spell big trouble for JavaScript users
Users told to ensure to apply the Next.js patch as soon as possible.
- Researchers spot critical vulnerability in Next.js
- If authorizations happen in middleware, they could be bypassed in older versions
- A patch, and a temporary workaround, are both available, so update now
Experts have warned there is a critical severity flaw in the Next.js open source web development framework which allows threat actors to bypass authorization checks.
Security researcher Rachid.A from Zhero Web Security posted an in-depth analysis of the findings, with the vulnerability tracked as CVE-2025-29927, and receiving a severity score of 9.1/10 (critical).
Prior to versions 14.2.25, and 15.2.3, it was possible to bypass authorization checks in Next.js, if they happen in middleware.
Monitor your credit score with TransUnion starting at $29.95/month
TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.
Preferred partner (What does this mean?)View Deal
Patching or mitigating
Next.js is a popular React framework for building web applications, offering features like server-side rendering (SSR), static site generation (SSG), and API routes.
It’s widely used for SEO-friendly and high-performance websites, including ecommerce platforms and dashboards.
Next.js is backed by Vercel and is used by major companies like Netflix, TikTok, and GitHub, making it one of the most adopted frameworks for modern web development. It counts more than 9 million weekly downloads on npm.
Middleware in Next.js is a function that runs before a request is completed, allowing developers to modify requests and responses, handle authentication, or implement redirects. The function is useful for tasks like user authentication, A/B testing, and localization without affecting page load speed.
It was also stated that just self-hosted versions, using ‘next start’ with ‘output:standalone’. Apps hosted on Vercel or Nerlify, or deployed as static exports, are not affected.
Ideally, users should patch to the above-mentioned versions to mitigate any chances of exploits. However, those that cannot apply the patch so fast are advised to prevent external user requests which contain the x-middleware-subrequest header from reaching the Next.js application.
“This vulnerability has been present for several years in the next.js source code, evolving with the middleware and its changes over the versions,” the researcher concluded, before stressing that Next.js is “widely used across critical sectors, from banking services to blockchain”.
Via BleepingComputer
You might also like
- US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
