Pierluigi Paganini
March 24, 2025
Maintainers of Next.js React framework addressed a critical vulnerability tracked as CVE-2025-29927 (CVSS score of 9.1) with the release of versions versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
“Next.js version 15.2.3 has been released to address a security vulnerability (CVE-2025-29927). Additionally, backported patches are available.” reads the advisory. “We recommend that all self-hosted Next.js deployments using next start and output: 'standalone' should update immediately.”
Authorization checks in Next.js middleware can be bypassed, potentially allowing unauthorized access.
“It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.” continues the advisory.
Maintainers also provide a workaround if patching isn’t possible, they recommends blocking external requests with the x-middleware-subrequest header to protect Next.js application.
The researchers Allam Rachid (zhero) and Allam Yasser (inzo_) reported the vulnerability and published technical details about the issue.
Cybersecurity firm JFrog warned that websites using Middleware for user authorization without additional checks are exposed to hack. Next.js users with middleware.ts or _middleware.ts files, or those using certain npm packages, are at risk.
[2/6] Any host website that utilizes Middleware to authorize users without any additional authorization checks is vulnerable. Next.js users may be vulnerable if the file middleware.ts or _middleware.ts exists in their deployment, this indicates that a Middleware is present, but…
— JFrog Security (@JFrogSecurity) March 23, 2025
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Next.js React framework)
