Critical Next.js Middleware Vulnerability: CVE-2025-29927
2025-03-23
Security researchers discovered a critical vulnerability (CVE-2025-29927) in Next.js's middleware, affecting nearly all versions from 11.1.4 to the latest. The flaw allows attackers to bypass middleware, including authentication and authorization, by manipulating the `x-middleware-subrequest` header. This can lead to bypassing security measures and even cache poisoning denial-of-service attacks. Vercel has released patches; all Next.js users should upgrade immediately.
Read more
Development