/
Navigation
Chronicles
Browse all articles
Explore
Semantic exploration
Research
Entity momentum
Nexus
Correlations & relationships
Story Arc
Topic evolution
Drift Map
Semantic trajectory animation
Posts
Analysis & commentary
Pulse API
Tech news intelligence API
Browse
Entities
Companies, people, products, technologies
Domains
Browse by publication source
Handles
Browse by social media handle
Detection
Concept Search
Semantic similarity search
High Impact Stories
Top coverage by position
Sentiment Analysis
Positive/negative coverage
Anomaly Detection
Unusual coverage patterns
Analysis
Rivalry Report
Compare two entities head-to-head
Semantic Pivots
Narrative discontinuities
Crisis Response
Event recovery patterns
Connected
Search: /
Command: ⌘K
Embeddings: large
TEXXR
TEXXR

Chronicles

The story behind the story

days · browse · Enter similar · o open

Researchers say a Next.js flaw that existed for several years could have let hackers bypass middleware-based authentication; Vercel patched the flaw on March 18

Next.js version 15.2.3 has been released to address a security vulnerability (CVE-2025-29927). zhero_web_security : Next.js and the corrupt middleware: the authorizing artifact National Vulnerability Database : References to Advisories, Solutions, and Tools Security Boulevard : Next.js Middleware Permission Bypass Vulnerability (CVE-2025-29927) Tim Anderson / DEVCLASS : Next.js team fixes vuln that allows auth bypass when middleware is used, revises documentation recommending this method Bill Toulas / BleepingComputer : Critical flaw in Next.js lets hackers bypass authorization The Hacker News : Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks Simon Willison / Simon Willison's Weblog : Next.js and the corrupt middleware: the authorizing artifact.  Good, detailed write … Ryan Daws / Developer Tech News : Critical security flaw uncovered in Next.js framework Bluesky: Gergely Orosz / @gergely.pragmaticengineer.com : The vulnerability explained: zhero-web-sec.github.io/research- and...  On first read, it sounds like a very bad one.  However, looking closer:  —  1. Although the middleware can be used for auth(docs even mention this): it's rarely ever done for it (at least just by itself.)  It's more a “redirect engine” Gergely Orosz / @gergely.pragmaticengineer.com : Here is a recent vulnerability disclosed for Next.js:  —  For sites using the Next.js middleware for auth, an attacker could bypass the Next.js middleware to get to any page, skipping auth checks here:  —  BUT.  —  If the site has more auth checks later, it wouldn't necessarily load Barry Dorrans / @blowdart.me : 1) a lot of you should be very busy this weekend  —  2) just add x-middleware-subrequest=true to a request and bingo?  Dear lord. Catalin Cimpanu / @campuscodi.risky.biz : “It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.”  —  With the amount of Next.js-based sites around, especially on infosec sites, I'd say this looks like a problem.  —  CVSS: 9.1  —  github.com/vercel/next.... Mastodon: Kevin Beaumont / @GossiTheDog@cyberplace.social : Just to echo @hdm and others - you might want to patch and (first) WAF filter for the Next.js vuln CVE-2025-29927 as a matter of priority.  —  There's over 300k of these bad boys on Shodan, before you even get to ones behind cloud WAFs that filter headers.  They're basically all vuln. … X: Klaas / @forgebitz : So far this weekend: - vercel and cloudflare CEO have beef - rippling cofounder is on the run from police - saratoga sales surge - nextjs has some security issues who said b2b saas is boring @sebastienlorber : Next.js middleware checking request auth [video] Vic / @vicvijayakumar : Next.js is having its PHP moment. In the early 2010s, a large number of new developers picked up PHP because it was easy to build things with it. Not all PHP devs wrote bad code, but a lot of bad code was written by PHP devs who were rolling their own ORMs / auth / sql adapters. Steven Tey / @steventey : One interesting thing about the @nextjs CVE that not a lot of people are talking about: It only affects your app if you fully rely on Middleware for auth (and are not auth'ing subsequent API requests). In other words, if you: ◆ only use Middleware for routing ◆ are [image] Gergely Orosz / @gergelyorosz : Up to recently, if a vendor had an outage/security issue, their competitors would purposefully not take advantage of this: would not badmouth the vendor or tell customers to switch. Feels like this is changing. Replit and Cloudflare both doing this following the Next.js CVE Karthik Kamalakannan / @imkarthikk : This is not how you acknowledge a major vulnerability that affected millions of users. @CloudflareDev acted faster than @vercel's team. And as always, Vercel never fails to disappoint me. They are not the team with good intentions. Vendor lock-in. Lack of ownership. Shying away Guillermo Rauch / @rauchg : Vercel stands for a better, more secure web. We missed the mark on how we communicated about this CVE, esp with industry partners. We'll iterate, our coordination & disclosure processes will strengthen as a result. I truly appreciate the outpouring of feedback from the community Forums: Hacker News : Next.js and the corrupt middleware: the authorizing artifact r/nextjs : Next.js CVE-2025-29927 r/nextjs : Authorization Bypass Vulnerability in Vercel Next.js: CVE-2025-29927 Lobsters : Next.js CVE-2025-29927

CyberScoop Matt Kapko

Related Coverage

Discussion

  • @gergely.pragmaticengineer.com Gergely Orosz on bluesky
    The vulnerability explained: zhero-web-sec.github.io/research- and...  On first read, it sounds like a very bad one.  However, looking closer:  —  1. Although the middleware can be used for auth(docs even mention this): it's rarely ever done for it (at least just by itself.)  It'…
  • @gergely.pragmaticengineer.com Gergely Orosz on bluesky
    Here is a recent vulnerability disclosed for Next.js:  —  For sites using the Next.js middleware for auth, an attacker could bypass the Next.js middleware to get to any page, skipping auth checks here:  —  BUT.  —  If the site has more auth checks later, it wouldn't necessarily l…
  • @blowdart.me Barry Dorrans on bluesky
    1) a lot of you should be very busy this weekend  —  2) just add x-middleware-subrequest=true to a request and bingo?  Dear lord.
  • @campuscodi.risky.biz Catalin Cimpanu on bluesky
    “It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.”  —  With the amount of Next.js-based sites around, especially on infosec sites, I'd say this looks like a problem.  —  CVSS: 9.1  —  github.com/vercel/ne…
  • @forgebitz Klaas on x
    So far this weekend: - vercel and cloudflare CEO have beef - rippling cofounder is on the run from police - saratoga sales surge - nextjs has some security issues who said b2b saas is boring
  • @sebastienlorber @sebastienlorber on x
    Next.js middleware checking request auth [video]
  • @vicvijayakumar Vic on x
    Next.js is having its PHP moment. In the early 2010s, a large number of new developers picked up PHP because it was easy to build things with it. Not all PHP devs wrote bad code, but a lot of bad code was written by PHP devs who were rolling their own ORMs / auth / sql adapters.
  • @steventey Steven Tey on x
    One interesting thing about the @nextjs CVE that not a lot of people are talking about: It only affects your app if you fully rely on Middleware for auth (and are not auth'ing subsequent API requests). In other words, if you: ◆ only use Middleware for routing ◆ are [image]
  • @gergelyorosz Gergely Orosz on x
    Up to recently, if a vendor had an outage/security issue, their competitors would purposefully not take advantage of this: would not badmouth the vendor or tell customers to switch. Feels like this is changing. Replit and Cloudflare both doing this following the Next.js CVE
  • @imkarthikk Karthik Kamalakannan on x
    This is not how you acknowledge a major vulnerability that affected millions of users. @CloudflareDev acted faster than @vercel's team. And as always, Vercel never fails to disappoint me. They are not the team with good intentions. Vendor lock-in. Lack of ownership. Shying away
  • @rauchg Guillermo Rauch on x
    Vercel stands for a better, more secure web. We missed the mark on how we communicated about this CVE, esp with industry partners. We'll iterate, our coordination & disclosure processes will strengthen as a result. I truly appreciate the outpouring of feedback from the community
  • r/nextjs r on reddit
    Next.js CVE-2025-29927
  • r/nextjs r on reddit
    Authorization Bypass Vulnerability in Vercel Next.js: CVE-2025-29927