A serious security vulnerability has been identified in the Next.js React framework, potentially allowing unauthorized users to bypass critical authorization checks. This flaw, registered as CVE-2025-29927, has been assigned a CVSS score of 9.1, indicating a high risk.
Next.js employs an internal header called x-middleware-subrequest that is designed to prevent recursive requests from causing infinite loops. However, this vulnerability enables the possibility of bypassing the middleware, thus failing to validate crucial checks like authorization cookie validation before requests are processed.
To mitigate this issue, users are advised to upgrade Next.js to the patched versions: 12.3.5, 13.5.9, 14.2.25, or 15.2.3. If immediate patching isn’t feasible, it is recommended to block incoming requests containing the x-middleware-subrequest header to safeguard the application.
Security researcher Rachid Allam, known as zhero and cold-try, discovered this vulnerability and has since shared further technical details, urging users to act quickly in applying the necessary fixes. This flaw allows attackers to easily bypass middleware authorization checks, which could lead to unauthorized access to sensitive areas of the application, such as admin pages.
Organizations using Next.js are strongly encouraged to take immediate action to enhance their security posture against this significant threat.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.