Authorization potentially bypassed with critical Next.js bug
Attacks leveraging a recently patched critical security flaw in open-source JavaScript framework Next.js, tracked as CVE-2025-29927, could facilitate middleware authorization evasion and eventual systems compromise, according to CyberScoop.
Tokens or partial code could be utilized by threat actors to exploit the vulnerability which stems from an improper authentication issue to circumvent security checks and infiltrate restricted app segments, noted cybersecurity researcher Allam Rachid. "This vulnerability has been present for several years in the Next.js source code, evolving with the middleware and its changes over the versions," said Rachid, who along with Allam Yasser discovered and reported the bug to Next.js maintainer Vercel late last month only for the patch to arrive weeks later. Vercel's delayed fix for the issue has raised concerns even as the firm's Chief Information Security Officer Ty Sbano noted the absence of any active exploits. "While our teams had verified the issue did not impact most infrastructure platforms, we failed to proactively share that context quickly enough. We're already working on ways we can improve how we share information moving forward," said Sbano.
