A new vulnerability CVE-2025-29927 has been discovered in Next.js that allows attackers to bypass authentication by adding the header x-middleware-subrequest: 1. Next.js mistook it for an internal call and skipped middleware checks. It is recommended to patch the vulnerability by updating to version v14.2.25 or v15.2.3. Alternatively, block the header via the Next.js WAF to prevent exploitation. #nextjs
For more details, check out the original tweet here: https://twitter.com/devhims/status/1903670347553030410