A critical vulnerability has been discovered in the popular Next.js framework, used for building interactive web applications, which allows an authorization bypass if the "middleware" function is enabled for linking to a service. The vulnerability, identified as CVE-2025-29927, is considered critical as it could allow threat actors to bypass security checks, gaining unauthorized access to sensitive areas of a web application.

The vulnerability was discovered by researchers Rachid A and Yasser Allam, who warned that the impact is considerable, with all versions of Next.js affected, starting from version 11.1.4, and no preconditions for exploitability. This means that any web application using Next.js, including e-commerce sites, could be vulnerable to attack if not patched.

Johannes Ullrich, dean of research at the SANS Institute, explained that the vulnerability would allow an attacker to bypass security checks, such as authorization, access control, or session cookie validation, by simply adding a specific header to their request. "You can access things like admin features that are supposed to be authorized just by adding a simple header," he said.

Developers and web administrators are advised to immediately update their Next.js installations to version 15.2.3 or 14.2.25, depending on their current version. Those who cannot patch their installations can mitigate the vulnerability by preventing external user requests containing the x-middleware-subrequest header from reaching the Next.js application, as recommended by Vercel, the developer of Next.js.

It's worth noting that not all Next.js applications are affected. On-prem applications that don't invoke the "middleware" command (next start with output: standalone), or applications hosted on Vercel or Netlify, are not vulnerable to this specific issue.

Ullrich warned that this vulnerability is not an isolated incident, but rather a symptom of a broader issue in modern web application development. "It's really a vulnerability in the way modern web applications are built, particularly if they target cloud deployments," he said. "They are often built with different components that hand requests back and forth to find the answer to a user's request. Things like this are often used to short-cut or simplify authorization. But if it's not done correctly you end up with these bypass vulnerabilities."

He cautioned that similar vulnerabilities may be lurking in other development frameworks, highlighting the need for developers to remain vigilant and proactive in securing their applications. As the web development landscape continues to evolve, it's essential for developers to prioritize security and stay informed about potential vulnerabilities in the tools and frameworks they use.

In conclusion, the discovery of this critical vulnerability in Next.js serves as a reminder of the importance of security in web application development. Developers and web administrators must take immediate action to patch their installations and protect their applications from potential attacks. As the tech industry continues to grapple with the complexities of modern web development, it's crucial to prioritize security and collaboration to ensure the integrity of the web ecosystem.