Next.js has become one of the most popular frameworks for modern web development, receiving over 9 million weekly downloads on npm. Powering applications for some of the world’s largest brands including TikTok, Netflix, Uber, and Nike to name a few, the React based framework’s latest update has sparked concerns from the developer community.
A newly discovered critical security vulnerability labelled CVE-2025-299227 affects Next.js versions 11.1.4 through 15.2.2, and allows attackers to bypass authorisation checks in certain conditions, potentially exposing sensitive resources to unauthorised users.
What is Next.js?
Next.js is an open-source React framework designed for building high-performance web applications. Developed and maintained by Vercel, it offers a range of features, including:
- Server-side rendering (SSR) and static site generation (SSG) for improved speed, performance, and SEO.
- API routes that allow developers to build full-stack applications within the framework.
- Middleware components for handling authentication, authorisation, and request modifications before a request completes.
- SEO-friendly architecture and fast load times, making it ideal for eCommerce, SaaS applications, and content-heavy websites.
However, as with any widely adopted technology, security vulnerabilities can have a significant impact on businesses and developers alike.
What is the Next.js Security Vulnerability?
Security researchers Rachis Allam and Yasser Allam recently discovered a critical vulnerability in Next.js middleware that allows attackers to bypass authorisation checks under certain conditions.
The researchers’ discovery came from reviewing older versions (12.0.7) of the Next.js framework when they discovered a section of code within the runMiddleware function. By adding the x-middleware-subrequest header with a specific value to a request, they could effectively bypass the middleware entirely.
Simply put, all it takes is adding a single HTTP header to your request to disable all of Next.js’s security checks, leaving digital assets extremely vulnerable.
With a CVSS base score of 9.1 (critical), organisations are advised to patch their vulnerable Next.js applications without delay.
How does the exploit work?
Middleware in Next.js is a function that runs before a request completes, enabling developers to:
-
Modify incoming requests and responses
-
Handle authentication and authorisation
-
Centralise repeated logic such as implementing redirects and localisation
The vulnerability allows attackers to bypass authorisation checks when they are implemented in middleware. This means protected resources can become accessible without proper authentication, posing a significant security risk.
What are the consequences?
Businesses and developers using Next.js for authentication and access control in middleware are at risk. It’s possible for attackers to access restricted content and exploit business logic vulnerabilities, which may indirectly provide opportunities for them to manipulate user sessions. These actions expose businesses to unauthorised access to admin panels or sensitive data, data breaches exposing customer or business information, and presents compliance risks for organisations subject to GDPR, HIPAA, or PCI-DSS regulations.
What You Should Do Next
Given the critical nature of this vulnerability, immediate action is required.
If you use Cloudflare then you can enable the managed Next.js vulnerability WAF rule, or if you use Vercel then their managed firewall has already enabled a rule to block the risk temporarily, giving you more time properly patch the vulnerability.
To address the vulnerability, we recommend taking the below actions.
1. Update to the latest version
A patch has been released for Next.js 12 and higher, addressing the security flaw.
· Next v12.x must update to at least v12.3.6
· Next v13.x must update to at least v13.5.10
· Next v14.x must update to at least v14.2.26
· Next v15.x must update to at least v15.2.4
Developers should update immediately to ensure their applications are secure.
2. Apply a temporary workaround
For applications running on older versions of Next.js, there is currently no fix available. However, you can mitigate the risk by blocking external requests with the vulnerable header, or temporarily restructure your authorisation logic to ensure it is not solely dependent on middleware.
3. Review middleware implementations
- Validate all user permissions before serving sensitive content.
- Implement logging and monitoring to detect suspicious access attempts.
Staying Secure with Next.js
Security vulnerabilities like CVE-2025-29927 highlight the importance of proactive security management in web development. As a digital agency specialising in React development and cyber security, we strongly advise businesses to:
- Keep Next.js and other dependencies up to date.
- Implement secure coding practices for authentication and authorisation.
- Stay informed about the latest security advisories and patches.
If you need assistance securing your Next.js application, our React development and cyber security experts are here to help. Contact us today to ensure your digital assets remain protected from evolving threats.
