A critical flaw in the Next.js React framework could be exploited to bypass authorization checks under certain conditions.
Maintainers of Next.js React framework addressed a critical vulnerability tracked as CVE-2025-29927 (CVSS score of 9.1) with the release of versions versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
“Next.js version 15.2.3 has been released to address a security vulnerability (CVE-2025-29927). Additionally, backported patches are available.” reads the advisory. “We recommend that all self-hosted Next.js deployments using next start and output: 'standalone' should update immediately.”
Authorization checks in Next.js middleware can be bypassed, potentially allowing unauthorized access.
“It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.” continues the advisory.
Maintainers also provide a workaround if patching isn’t possible, they recommends blocking external requests with the x-middleware-subrequest header to protect Next.js application.
The researchers Allam Rachid (zhero) and Allam Yasser (inzo_) reported the vulnerability and published technical details about the issue.
Cybersecurity firm JFrog warned that websites using Middleware for user authorization without additional checks are exposed to hack. Next.js users with middleware.ts or _middleware.ts files, or those using certain npm packages, are at risk.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Next.js React framework)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/175775/security/next-js-react-framework-critical-issue.html