Critical Vulnerability in Next.js
Vulnerability
March 27, 2025
A critical vulnerability (CVE-2025-29927) in Next.js, a JavaScript framework, was recently disclosed that could allow a threat actor to bypass authentication in the middleware layer to gain access to targeted systems. The vulnerability is trivial to exploit, as it only requires sending an extra HTTP header. Based on open-source information, thousands of web applications in New Jersey utilize the Next.js framework. The NJCCIC advises implementing updates as soon as possible after appropriate testing. If updates cannot be installed, prevent external user requests that contain the ‘x-middleware-subrequest‘ header from reaching the Next.js application as a workaround.