A crucial severity vulnerability has been found within the Subsequent.js open-source net improvement framework, doubtlessly permitting attackers to bypass authorization checks.
The flaw, tracked as CVE-2025-29927, allows attackers to ship requests that attain vacation spot paths with out going by crucial security checks.
Subsequent.js is a well-liked React framework with greater than 9 million weekly downloads on npm. It’s used for constructing full-stack net apps and consists of middleware parts for authentication and authorization.
Entrance-end and full-stack builders use it to construct net apps with React. A number of the extra notable corporations utilizing it for his or her websites/apps are TikTok, Twitch, Hulu, Netflix, Uber, and Nike.
Authorization bypass
In Subsequent.js, middleware parts run earlier than a request hits an utility routing system and serve functions like authentication, authorization, logging, error dealing with, redirecting customers, making use of geo-blocking or fee limits.
To stop infinite loops the place middleware re-triggers itself, Subsequent.js makes use of a header known as ‘x-middleware-subrequest’ that dictates if middleware features must be utilized or not.
The header is retrieved by the ‘runMiddleware’ operate chargeable for processing incoming requests. If it detects the ‘x-middleware-subrequest’ header, with a selected worth, your complete middleware execution chain is bypassed and the request is forwarded to its vacation spot.
An attacker can manually ship a request that features the header with an accurate worth and thus bypass safety mechanisms.
In line with researchers Allam Rachid and Allam Yasser (inzo_), who found the vulnerability and revealed a technical write-up, “the header and its worth act as a common key permitting guidelines to be overridden.”
The vulnerability impacts all Subsequent.js variations earlier than 15.2.3, 14.2.25, 13.5.9. and 12.3.5. Customers are beneficial to improve to newer revisions as quickly as potential, since technical particulars for exploiting the security problem are public.
Subsequent.js’ security bulletin clarifies that CVE-2025-29927 impacts solely self-hosted variations that use ‘subsequent begin’ with ‘output: standalone’. Subsequent.js apps apps hosted on Vercel and Nerlify, or deployed as static exports, will not be affected.
Additionally affected are environments the place middleware is used for authorization or security checks and there’s no validation later within the utility.
If patching just isn’t potential on the time, the advice is to dam exterior consumer requests that embrace the ‘x-middleware-subrequest header’.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the best way to defend towards them.
