Next.js, the widely-used React framework, has released version 15.2.3 to address a severe security vulnerability that could allow attackers to bypass authorization checks in web applications.
The security flaw, identified as CVE-2025-29927, received a critical severity score of 9.1 out of 10. The vulnerability impacts multiple Next.js versions, including 11.1.4 through 13.5.6, 14.0 to 14.2.24, and 15.0 to 15.2.2.
Security researchers Allam Rachid and Allam Yasser discovered that attackers could manipulate the "x-middleware-subrequest" header to bypass security checks implemented in middleware components, potentially gaining unauthorized access to protected resources.
Vercel, the company maintaining Next.js, recommends users upgrade to version 15.2.3 for the 15.x series or version 14.2.25 for the 14.x series. For teams unable to update immediately, Vercel suggests blocking external requests containing the "x-middleware-subrequest" header from reaching Next.js applications as a temporary solution.
The vulnerability requires no special privileges or user interaction to exploit, making it particularly dangerous for applications using middleware for authentication and authorization. The potential impact includes risks to both application confidentiality and integrity.
Web developers using Next.js should prioritize updating their dependencies to the latest patched versions to protect their applications from potential attacks.