Critical Next.js Middleware Vulnerability (CVE-2025-29927)

A major auth bypass vulnerability in Next.js middleware (prior to v14.2.25 / v15.2.3) allows attackers to inject the x-middleware-subrequest header and bypass authorization entirely. Exploitable via simple HTTP requests—no user interaction, no special permissions.

Patch. Now. Or block the header manually.

GitHub scored this 9.1 CRITICAL, but the real issue? This flaw exposes a systemic weakness in middleware validation, and some vendors weren’t exactly upfront about the risks.

Details + POC: https://zeropath.com/blog/nextjs-middleware-cve-2025-29927-auth-bypass
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29927

Security theater is easy. Secure defaults and transparency are harder—but essential.

Une faille critique dans Next.js permet de contourner les vérifications d'autorisation effectuées dans le middleware.

Framework React trés populaire pour le rendu web côté serveur.

Détails techniques

En injectant l'en-tête x-middleware-subrequest, un attaquant peut bypasser les contrôles d'accès et accéder à des ressources normalement protégées.

Exploit documenté ici

"Next.js and the corrupt middleware: the authorizing artifact"

https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

Versions vulnérables

• 15.x < 15.2.3
  
• 14.x < 14.2.25
  
• 11.1.4 → 13.5.6

Solutions

Mettez à jour vers 15.2.3 ou 14.2.25


https://nextjs.org/blog/cve-2025-29927

https://github.com/advisories/GHSA-f82v-jwr5-mffw

En attendant : bloquez les requêtes contenant x-middleware-subrequest côté serveur / WAF

Et effectivement selon le moteur de recherche de surface d’attaque ONYPHE,

il y en a un paquet… y compris en Suisse

Critical CVE-2025-29927 Vulnerability Exposes Next.js Middleware to Authorization Bypass

A newly disclosed vulnerability in Next.js, CVE-2025-29927, allows attackers to bypass middleware protections, raising serious security concerns for developers. The Next.js team has swiftly released p...

https://news.lavx.hu/article/critical-cve-2025-29927-vulnerability-exposes-next-js-middleware-to-authorization-bypass

Unveiling a Critical Vulnerability in Next.js Middleware: A Deep Dive

A recent security discovery has exposed a critical vulnerability in Next.js middleware, affecting all versions from 11.1.4 onwards. This flaw allows attackers to bypass authentication and authorizatio...

https://news.lavx.hu/article/unveiling-a-critical-vulnerability-in-next-js-middleware-a-deep-dive

CVE-2025-29927 – Next.js

https://nextjs.org/blog/cve-2025-29927

Готовим геотаргетинг на nginx + GeoIP2 и связываем с локализацией в Next.js

В этой статье поделюсь быстрым способом настройки геотаргетинга на nginx + GeoIP2 в связке с локализацией Next.js на примере решения реальной задачи. Вы узнаете как подключить и настроить GeoIP2 к nginx , как приоритизировать и настроить критерии выбора домена и локали, и как подружить это с Next.js

https://habr.com/ru/articles/893294/

Rebuild the frontend today looks a lot nicer now and is less horrible code wise. https://github.com/paviro/RPi-LED-Sign-Controller #ledmatrix #led #lights #rust #nextjs #node
https://whisper.tf/@paul/114195460553220826

Building APIs With Next.js, by @leerob@x.com (@nextjs.org):

https://nextjs.org/blog/building-apis-with-nextjs

Next.js — The React Framework

https://w3things.com/blog/nextjs/

Learn Next.js, a full-stack React framework. Explore its features, such as the App Router, Incremental Static Regeneration (ISR), and Server-Side Rendering.

Docs: Real-time collaborative note-taking system, with off-line mode.

Built on top of #Django #NextJS #Yjs (CRDTs) #MinIO #BlockNoteJS. Easy to self-host, MIT license. Joint effort of the French and German governments.

https://docs.numerique.gouv.fr/

https://github.com/suitenumerique/docs

/via @alexlunaview

Going for a walk, drive, workout, or run? Take #69: Tales from Ken’s Side with you! @kito99@mastadon.social, @ianhlavats and @dhinojosa are joined by #JavaChampion, trainer, @nofluff speaker and book author @kenkousen. #ai #kotlin #mockito #jvm #nextjs #spring https://www.pubhouse.net/2024/01/stackd-69-tales-from-kens-side.html

#nextjs devs,

Since nextjs redirect can't be used inside `try/catch` block, How do you handle the redirections in server actions?

Especially when you don't want to handle `| undefined` in the return type of function in #TypeScript.

As of now I am doing redirection on client.

Is there a better way?

Nicktio – the ultimate #NextJS #Tailwind website #template designed for payment platforms, #fintech #startups, and financial services. With sleek #design & robust functionality, launch your world-class web presence today!

https://getnextjstemplates.com/products/nicktio-nextjs-tailwind-website-template
#WebDevelopment

Whatnot is hiring Fullstack Engineer, Ads - Poland

#nextjs #react #api #graphql
Remote; Kraków, Poland
Full-time
Whatnot

Job details https://jobsfordevelopers.com/jobs/fullstack-engineer-ads-poland-at-whatnot-com-feb-6-2025-031f77?utm_source=mastodon.world&utm_medium=social&utm_campaign=posting
#jobalert #jobsearch #hiring

Unraveling a Head-Scratching Bug in Image Processing with Next.js and vips

A seemingly simple bug in a web application led to a deep dive into the intricate workings of image processing libraries and environment variables. This journey reveals the complexities developers fac...

https://news.lavx.hu/article/unraveling-a-head-scratching-bug-in-image-processing-with-next-js-and-vips

Why We Ditched Next.js and Never Looked Back, by @northflankwill@x.com and @tdjs (@northflank@x.com):

https://northflank.com/blog/why-we-ditched-next-js-and-never-looked-back

I'm reading that it's possible to use #nextjs with #bun instead of #node?

I tried to build my #nextjs app in standalone mode. It's only 70MB instead of 1GB. #Prisma CLI seems to be still working properly. I need it to run the migrations

Question from a noob with no clue about this stuff:

Is next.js v14 still maintained? From what I can tell there are only two release channels with next.js: Stable and Canary. Right now those correspond to 15.2.x and 15.3.x respectively.

Where does that leave v14 and older versions of next.js in terms of support and patching?

I managed to run my CRM in production, with the database migrations

Next step is to make a smaller #Docker image. It's currently around 1GB, due to node_modules. I'll try the standalone mode. Hope prisma will still work.