On 31 August 2025, security researchers disclosed CVE-2025-29927, a critical authorization bypass vulnerability in the Next.js framework.
The flaw stems from improper handling of the x-middleware-subrequest header in Next.js middleware, allowing attackers to circumvent authentication and gain unauthorized access to protected routes.
This article provides an in-depth technical analysis, demonstrates proof-of-concept exploits, and outlines mitigation strategies.
https://cyberpress.org/critical-next-js ... orization/