<ul><li>An Authorization Bypass vulnerability was found in the Next.js framework, classified as CVE-2025-29927 with a critical CVSS score of 9.1.</li><li>The vulnerability affects self-hosted apps using Middleware for security validations, allowing unauthorized access to restricted endpoints.</li><li>The flaw is related to the X-Middleware-Subrequest header, which can be manipulated to bypass security controls.</li><li>To mitigate the vulnerability, updating Next.js to the latest version and removing the header from requests are recommended.</li></ul>

Next.js Middleware Broken Access Controls

Discover more