Developers and web administrators using the Next.js framework for their web applications are being urged to update their systems immediately to fix a critical security vulnerability that could allow unauthorized access to sensitive features. The flaw, identified as CVE-2025-29927, affects versions of Next.js starting with version 11.1.4 and could enable attackers to bypass essential authorization checks, putting sensitive data and application controls at risk.
The issue lies in how the “middleware” function is used within Next.js, particularly when it is involved in linking to services that perform vital security functions like user authentication or session management. If exploited, this vulnerability could allow attackers to bypass these security layers, gaining access to features or areas of the application that are typically restricted. This could be devastating, particularly for e-commerce sites, where unauthorized users could potentially access administrative tools or manipulate security controls without proper authentication.
Security experts, including Johannes Ullrich from the SANS Institute, have emphasized the ease with which this vulnerability can be exploited. “It’s a trivial authentication bypass,” Ullrich explained. Attackers only need to add a simple header to bypass the security checks, which could then grant them access to restricted areas of the application. This means that attackers could gain control of admin-level features, posing a significant threat to organizations using Next.js for their web applications.
To mitigate the risk, developers and administrators should immediately update their Next.js installation to version 15.2.3 for the 15.x series or to version 14.2.25 for the 14.x series. For those running applications that don’t invoke the “middleware” command, such as on-premise setups or apps hosted on Vercel or Netlify, the vulnerability does not apply. However, Vercel has advised that if updating to a safe version isn’t possible, admins should block any requests containing the “x-middleware-subrequest” header to protect their applications until a patch is applied.