- Researchers detect critical vulnerability at Next.js
- If authorizations occur in the Middleware, they could overlook in previous versions
- A patch and a temporary solution are available, so update now
Experts have warned that there is a critical severity failure in the following Open Source Web Development framework of JS that allows threat actors to avoid authorization verifications.
Rachid.A web security researcher Security published an in-depth analysis of the findings, with the vulnerability tracked as CVE-2025-29927, and received a gravity score of 9.1/10 (critical).
Before versions 14.2.25 and 15.2.3, it was possible to avoid authorization verifications in Next.js, if they happen in the Middleware.
Patch or mitigation
Next.js is a popular React frame for the creation of web applications, which offers characteristics such as server side (SSR), static sites generation (SSG) and API routes.
It is widely used for high -performance and friendly websites with SEO, including electronic commerce platforms and panels.
Next.js is supported by Vercel and is used by the main companies such as Netflix, Tiktok and Github, which makes it one of the most adopted frames for modern web development. It has more than 9 million weekly downloads in NPM.
Middleware in Next.js is a function that is executed before a request is completed, which allows developers to modify requests and responses, manage authentication or implement redirects. The function is useful for tasks such as user authentication, A/B tests and location without affecting the page loading speed.
It was also stated that only self -host versions, using ‘next start’ with ‘exit: standalone’. Applications housed in Vercelly or Nerlify, or implemented as static exports, are not affected.
Ideally, users must patch the aforementioned versions to mitigate any possibility of exploits. However, those who cannot apply the patch so fast that they prevent requests from external users containing the X-Middleware-Suburest heading are not recommended to the next.JS.
“This vulnerability has been present for several years in the following source code.js, evolving with the Middleware and its changes on the versions,” concluded the researcher, before emphasizing that Next.JS is “widely used in critical sectors, from banking services to Blockchain.”
Through Bleepingcomputer
