Next.js Middleware Permission Bypass Vulnerability (CVE-2025-29927)

Overview Recently, NSFOCUS CERT detected that Next.js issued a security announcement and fixed the middleware permission bypass vulnerability (CVE-2025-29927). Because Next.js lacks effective verification of the source of the x-middleware-subrequest header, when configuring to use middleware for authentication and authorization, an unauthenticated attacker can bypass system permission controls by manipulating the x-middleware-subrequest header to access […]

The post Next.js Middleware Permission Bypass Vulnerability (CVE-2025-29927) appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post Next.js Middleware Permission Bypass Vulnerability (CVE-2025-29927) appeared first on Security Boulevard.

This article has been indexed from Security Boulevard

Read the original article: