A significant security vulnerability has been identified in the Next.js React framework, posing potential risks by allowing unauthorized access in certain situations. The flaw, officially recorded as CVE-2025-29927, has been assigned a high criticality score of 9.1 out of 10 according to the Common Vulnerability Scoring System (CVSS). This rating underscores the severity of the issue and the urgency with which it should be addressed.
Next.js, a popular framework for building React applications, uses an internal mechanism involving a header known as x-middleware-subrequest to prevent recursive requests that could lead to infinite loops. However, it was discovered that this system could be exploited to bypass middleware execution. This loophole could potentially allow requests to circumvent essential security checks, such as the validation of authorization cookies, before they reach their intended routes.
The developers of Next.js have responded to this vulnerability by releasing updated versions of the framework—12.3.5, 13.5.9, 14.2.25, and 15.2.3—that address the issue. Users who are unable to immediately update to these versions are advised to block any external user requests containing the x-middleware-subrequest header from interacting with their Next.js applications.
The discovery of this vulnerability is credited to security researcher Rachid Allam, also known by the aliases zhero and cold-try, who has published detailed technical information about the flaw. This disclosure makes it imperative for users to implement the necessary fixes promptly to protect their applications from potential exploitation.
JFrog, a software company, has further emphasized the seriousness of this vulnerability. It allows attackers to bypass critical authorization checks conducted by Next.js middleware, thereby potentially gaining access to sensitive web pages intended for administrators or other high-privileged users. Websites that rely solely on middleware for user authorization, without additional checks, are particularly vulnerable to this flaw. Attackers could exploit this vulnerability to access restricted resources such as admin pages.
For organizations and developers using Next.js, it is crucial to act swiftly to mitigate this risk. Immediate steps should be taken to update to the latest patched versions or to implement alternative protective measures as outlined. The security of web applications and the protection of sensitive data depend on the timely and effective resolution of such vulnerabilities.
In addition to addressing this specific flaw, staying informed about security best practices and emerging threats is vital. Engaging in educational opportunities, such as webinars, can provide valuable insights. For instance, participating in a webinar with security expert Diana Shtil could help organizations understand evolving threats related to artificial intelligence and learn proactive strategies for implementing a Zero Trust defense model.
To stay ahead in the rapidly changing landscape of cybersecurity, it is essential to access the latest news, gain insights from experts, and utilize exclusive resources and strategies provided by industry leaders.
