This critical flaw affects authentication flows, authorization controls, path rewriting, and security header implementations across multiple Next.js versions, potentially exposing thousands of web applications to unauthorized access. The vulnerability affects approximately 10 million weekly downloads of Next.js, potentially compromising security across numerous production systems in critical sectors, including banking and blockchain applications. Next.js middleware serves as a crucial component for implementing authentication checks, path rewriting, server-side redirects, and security headers like Content Security Policy (CSP). Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This vulnerability reminds us that seemingly minor implementation details in web frameworks can lead to significant security exposures when they are not properly validated against external manipulation. When exploited, attackers can access protected administrative interfaces, bypass authentication requirements, and even circumvent security headers like CSP. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. According to vulnerability researcher Rachid and Yasser Allam (inzo_), the vulnerability exploits a flaw in Next.js middleware that processes the x-middleware-subrequest header. CVE-2025-29927 demonstrates how internal framework mechanisms can create significant security vulnerabilities.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 24 Mar 2025 07:45:04 +0000