Critical security flaw in Next.js could spell big trouble for JavaScript users

News
By published

Next.js flaw allows users to bypass authorization checks

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)
  • Researchers spot critical vulnerability in Next.js
  • If authorizations happen in middleware, they could be bypassed in older versions
  • A patch, and a temporary workaround, are both available, so update now

Experts have warned there is a critical severity flaw in the Next.js open source web development framework which allows threat actors to bypass authorization checks.

Security researcher Rachid.A from Zhero Web Security posted an in-depth analysis of the findings, with the vulnerability tracked as CVE-2025-29927, and receiving a severity score of 9.1/10 (critical).

Prior to versions 14.2.25, and 15.2.3, it was possible to bypass authorization checks in Next.js, if they happen in middleware.

Monitor your credit score with TransUnion starting at $29.95/month

Monitor your credit score with TransUnion starting at $29.95/month

TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.

Preferred partner (What does this mean?)

View Deal

Patching or mitigating

Next.js is a popular React framework for building web applications, offering features like server-side rendering (SSR), static site generation (SSG), and API routes.

It’s widely used for SEO-friendly and high-performance websites, including ecommerce platforms and dashboards.

Next.js is backed by Vercel and is used by major companies like Netflix, TikTok, and GitHub, making it one of the most adopted frameworks for modern web development. It counts more than 9 million weekly downloads on npm.

Middleware in Next.js is a function that runs before a request is completed, allowing developers to modify requests and responses, handle authentication, or implement redirects. The function is useful for tasks like user authentication, A/B testing, and localization without affecting page load speed.

It was also stated that just self-hosted versions, using ‘next start’ with ‘output:standalone’. Apps hosted on Vercel or Nerlify, or deployed as static exports, are not affected.

Ideally, users should patch to the above-mentioned versions to mitigate any chances of exploits. However, those that cannot apply the patch so fast are advised to prevent external user requests which contain the x-middleware-subrequest header from reaching the Next.js application.

“This vulnerability has been present for several years in the next.js source code, evolving with the middleware and its changes over the versions,” the researcher concluded, before stressing that Next.js is “widely used across critical sectors, from banking services to blockchain”.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Cyber-security
Juniper Session Smart routers have a critical flaw, so patch now
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
China
Juniper patches security flaws which could have let hackers take over your router
A person at a laptop with a cybersecure lock symbol floating above it.
A worrying security flaw could have left Microsoft SharePoint users open to attack
A close-up of an interent search bar with 'http://ww' visible
US government warns this popular CMS software has a worrying security flaw
Avast cybersecurity
Hackers are hijacking government software to access sensitive servers
Latest in Security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
Latest in News
girl using laptop hoping for good luck with her fingers crossed
Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
ChatGPT Advanced Voice mode on a smartphone.
Talking to ChatGPT just got better, and you don’t need to pay to access the new functionality
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Apple Watch Ultra 2 timer
The Apple Watch is getting a sleep alarm upgrade it probably should have had 10 years ago
Nikon Z5
The Nikon Z5 II could land soon – here's what to expect from Nikon's rumored entry-level full-frame camera
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
More about security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol

Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
girl using laptop hoping for good luck with her fingers crossed

Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
See more latest
Most Popular
girl using laptop hoping for good luck with her fingers crossed
Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
ChatGPT Advanced Voice mode on a smartphone.
Talking to ChatGPT just got better, and you don’t need to pay to access the new functionality
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Teenager playing on a gaming PC with two monitors
Samsung's OLED monitors are about to get much cheaper - and it's about time
Apple Watch Ultra 2 timer
The Apple Watch is getting a sleep alarm upgrade it probably should have had 10 years ago
Nikon Z5
The Nikon Z5 II could land soon – here's what to expect from Nikon's rumored entry-level full-frame camera
Google Pixel Watch 3
Google Pixel Watches hit with delayed notifications, crashing, and performance issues following Wear OS 5.1 update
Frank Castle pinning Matt Murdock against a locker in Daredevil: Born Again episode 4
What time is Daredevil: Born Again episode 5 going to be released on Disney+?
AMD Ryzen 9950X
I analyzed 25 AMD Zen 4 and Zen 5 CPUs and the Ryzen 9 9900X is the best of them all right now: Here’s why
Ugreen \00d7 Genshin Impact Kinich Collectible Gift Box and exclusive Genshin Impact merchandise.
Ugreen reveals exclusive Genshin Impact collection and they're some of the most eye-catching charging products I've ever used