Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Critical security flaw in Next.js could spell big trouble for JavaScript users

An abstract image of a lock against a digital background, denoting cybersecurity.

  • Researchers spot critical vulnerability in Next.js
  • If authorizations happen in middleware, they could be bypassed in older versions
  • A patch, and a temporary workaround, are both available, so update now

Experts have warned there is a critical severity flaw in the Next.js open source web development framework which allows threat actors to bypass authorization checks.

Security researcher Rachid.A from Zhero Web Security posted an in-depth analysis of the findings, with the vulnerability tracked as CVE-2025-29927, and receiving a severity score of 9.1/10 (critical).

Prior to versions 14.2.25, and 15.2.3, it was possible to bypass authorization checks in Next.js, if they happen in middleware.

Patching or mitigating

Next.js is a popular React framework for building web applications, offering features like server-side rendering (SSR), static site generation (SSG), and API routes.

It’s widely used for SEO-friendly and high-performance websites, including ecommerce platforms and dashboards.

Next.js is backed by Vercel and is used by major companies like Netflix, TikTok, and GitHub, making it one of the most adopted frameworks for modern web development. It counts more than 9 million weekly downloads on npm.

Middleware in Next.js is a function that runs before a request is completed, allowing developers to modify requests and responses, handle authentication, or implement redirects. The function is useful for tasks like user authentication, A/B testing, and localization without affecting page load speed.

It was also stated that just self-hosted versions, using ‘next start’ with ‘output:standalone’. Apps hosted on Vercel or Nerlify, or deployed as static exports, are not affected.

Ideally, users should patch to the above-mentioned versions to mitigate any chances of exploits. However, those that cannot apply the patch so fast are advised to prevent external user requests which contain the x-middleware-subrequest header from reaching the Next.js application.

“This vulnerability has been present for several years in the next.js source code, evolving with the middleware and its changes over the versions,” the researcher concluded, before stressing that Next.js is “widely used across critical sectors, from banking services to blockchain”.

Via BleepingComputer

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.