Overview

A critical vulnerability is affecting Next.js products. Exploitation of this vulnerability may allow an attacker to bypass security controls.

Description

Multiple Next.js versions are affected by a vulnerability tracked as CVE-2025-29927 with a CVSS score of 9.1. The vulnerability results from the improper validation of the internal header, which has a predictable value. Successful exploitation of the vulnerability allows attackers to bypass authentication checks within a Next.js application.

Impact

Successful exploitation of this vulnerability may allow the attackers to bypass security controls on the affected system.

Solution

Next.js has released security patches for this vulnerability. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
• 2. https://www.securityweek.com/critical-next-js-vulnerability-in-hacker-crosshairs/
• 3. https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware