Next.js Vulnerability Identified
A security vulnerability in the Next.js framework, identified as CVE-2025-29927, has been detailed in a new security bulletin from Tenable. The finding highlights the need for developers using the popular React framework to stay current with official patches and releases. Maintaining a secure posture is a critical aspect of deploying production-grade web applications.
- This vulnerability is a critical authorization bypass flaw that allows an attacker to gain unauthorized access to protected routes within a Next.js application. - It can be exploited by sending a crafted HTTP request containing a specific internal header, `x-middleware-subrequest`, which tricks the application into skipping the execution of middleware functions. - The vulnerability has been assigned a CVSS score of 9.1, indicating a critical severity level. - Security researcher Rachid Allam (zhero) was credited with the discovery and analysis of this middleware bypass vulnerability. - Self-hosted Next.js applications are primarily at risk, while applications deployed on Vercel and Netlify are not affected by this specific vulnerability. - The patched versions released by Vercel are 15.2.3, 14.2.25, and 13.5.9. For older versions, a workaround is recommended. - If an immediate upgrade is not possible, the recommended temporary mitigation is to configure the web server or proxy to strip the `x-middleware-subrequest` header from all incoming requests. - Beyond unauthorized access, successful exploitation could in some cases lead to cache poisoning and denial of service attacks.
