A essential security flaw has been disclosed within the Subsequent.js React framework that may very well be doubtlessly exploited to bypass authorization checks underneath sure circumstances.
The vulnerability, tracked as CVE-2025-29927, carries a CVSS rating of 9.1 out of 10.0.
“Subsequent.js makes use of an inside header x-middleware-subrequest to forestall recursive requests from triggering infinite loops,” Subsequent.js mentioned in an advisory.
“It was attainable to skip working middleware, which might permit requests to skip essential checks—reminiscent of authorization cookie validation—earlier than reaching routes.”
The shortcoming has been addressed in variations 12.3.5, 13.5.9, 14.2.25, and 15.2.3. If patching will not be an choice, it is really helpful that customers stop exterior consumer requests that comprise the x-middleware-subrequest header from reaching the Subsequent.js utility.
Safety researcher Rachid Allam (aka zhero and cold-try), who’s credited with discovering and reporting the flaw, has since revealed extra technical particulars of the flaw, making it crucial that customers transfer rapidly to use the fixes.
“The vulnerability permits attackers to simply bypass authorization checks carried out in Subsequent.js middleware, doubtlessly permitting attackers entry to delicate net pages reserved for admins or different high-privileged customers,” JFrog mentioned.
The corporate additionally mentioned any host web site that makes use of middleware to authorize customers with none extra authorization checks is susceptible to CVE-2025-29927, doubtlessly enabling attackers to entry in any other case unauthorized sources (e.g., admin pages).
