Next.js dropped a CVSS 9.1 authentication bypass vulnerability (CVE-2025-29927) over the weekend. This flaw is trivially exploitable by sending the header `x-middleware-subrequest: true` and causes the request to skip all middleware processing, including any authentication steps.
Shodan reports […]
Shodan reports […]
Comments
Minor correction:
> Next.js recommends that customers upgrade to 15.2.3 or 14.2.5.
14.2.25 is the fixed version, not 14.2.5 https://github.com/vercel/next.js/releases/tag/v14.2.25
The next question is who thought this was a good idea an how on earth did it make it through code review? How long has this been out there?