- Published on
CVE-2025-29927: Authorization Bypass in NextJS Middleware
- Authors
- Name
- Alex Lee
- @alexjoelee
CVE-2025-29927: Authorization Bypass in NextJS Middleware
On March 20th, a security vulnerability was published for NextJS. Yesterday, it was published in the NIST database. We won't get into the details here, but the NextJS team have published an article detailing the authorization bypass.
What'd We Do
Yesterday we tested our fix with a few NextJS-based applications we have on our network. We deployed the fix - to drop requests with the x-middleware-subrequest header - to all sites on our network. This header is never expected to be sent in with a legitimate user request.
Next Steps
Please update your deployments to the latest NextJS version as soon as possible.