Security News > 2025 > March > Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
2025-03-24 09:17
A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions. The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0. "Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops," Next.js said in an
News URL
https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html
Related news
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- ASUS warns of critical auth bypass flaw in routers using AiCloud (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- Ivanti warns of critical Neurons for ITSM auth bypass flaw (source)
- Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE (source)
- Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise (source)
- Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin (source)
- Hewlett Packard Enterprise warns of critical StoreOnce auth bypass (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-03-21 | CVE-2025-29927 | Next.js is a React framework for building full-stack web applications. | 0.0 |