The following response was revealed by a critical lack of safety.
Vulnerability tracked as Cve-2025-29927Carries CVSS 9.1 out of 10.0.
“NEXT.JS uses the internal title of the X-Middleware-Subrequest to prevent recursive requests from launching endless loops”, next.js – Note In advisory.
‘You could miss running softwareWhich can allow requests to miss critical checks – for example, checking authorization – before reaching the routes. “
The deficiency was considered in versions 12.3.5, 13.5.9, 14.2.25 and 15.2.3. If the fix is not an option, it is recommended that users prevent external user requests that contain the X-Middleware-Subrequest header from reaching the Next.js app.
Researcher on Rahid ally’s security (aka Zhero and Cold-Try), which is credited with identification and shortage report Additional technical data on the lack ofBy doing the necessary users moving fast to apply fixes.
“The vulnerability allows the attackers to easily bypass the authentication check. – Note.
The company also stated that any host website uses intermediate software to resolve users without additional authorization checks, vulnerable to CVE-2025-29927, which could allow the attackers to access otherwise unauthorized resources (such as administrator pages).