Warning for developers, web admins: update Next.js to prevent exploit

Developers and web admins using the Next.js framework for building or managing interactive web applications should install a security update to plug a critical vulnerability.

The vulnerability, CVE-2025-29927, allows an authorization bypass if the “middleware” function is enabled for linking to a service. This vulnerability is critical if the middleware that Next.js is connecting to performs security functions such as authorization, access control, or checking if session cookies are valid.

“This vulnerability would allow you to by-pass that check,” noted Johannes Ullrich, dean of research at the SANS Institute.

“If you are affected, it basically allows a very trivial authentication bypass,” he said. If Next.js is used on an e-commerce site, for example, all a threat actor would have to do is log in as a regular customer and they could explore the company’s use of the framework, then tamper with security controls.

“You can access things like admin features that are supposed to be authorized just by adding a simple header [to bypass security],” he said.

According to researchers Rachid A and Yasser Allam, who discovered the hole, “the impact is considerable, with all versions affected and no preconditions for exploitability.”

All versions of Next.js starting with version 11.1.4 are vulnerable. Developers and admins should immediately make sure that their installation of Next.js 15.x uses version 15.2.3. Those who want to stay on version 14.x should upgrade to 14.2.25.

Not affected are on-prem applications that don’t invoke the “middleware” command (next start with output: standalone), or applications hosted on Vercel – which develops Next.js — or Netlify.

Vercel recommends that, if patching to a safe version is not feasible, admins should prevent external user requests which contain the x-middleware-subrequest header from reaching the Next.js application.

While Next.js is an open source tool, Ullrich said that commercial tools have had similar vulnerabilities in headers that could be spoofed by an attacker.

“It’s really a vulnerability in the way modern web applications are built, particularly if they target cloud deployments,” he said. “They are often built with different components that hand requests back and forth to find the answer to a user’s request. Things like this are often used to short-cut or simplify authorization. But if it’s not done correctly you end up with these bypass vulnerabilities.”

“There are likely more vulnerabilities like this lingering in other [development] frameworks,” he warned.