NCSC Urges Users to Patch Next.js Flaw Immediately
The UK’s leading cybersecurity agency has urged users of a popular open source web development framework to patch a critical vulnerability immediately.
The National Cyber Security Centre (NCSC) warned in a post on Friday of an authorization bypass vulnerability present in Next.js, a React-based framework used to build full-stack web applications across the globe.
“An attacker may be able to exploit this vulnerability by sending an external request to the system that the system treats as an internal request, bypassing authorization checks and giving unauthorised access to sensitive data,” it explained.
“Proof-of-concept exploits for this vulnerability are widely and freely available.”
Read more on open source vulnerabilities: OpenSSF Publishes Security Framework for Open Source Software
CVE-2025-29927 was fixed by the Next.js maintainers on March 22, after being responsibly and privately reported to the team back in February.
“Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops,” it explained.
“The security report showed it was possible to skip running middleware, which could allow requests to skip critical checks – such as authorization cookie validation – before reaching routes.”
The vulnerability impacts all versions of 13.x before 13.5.9; all versions of 14.x before 14.2.25; all versions of 15.x before 15.2.3; and all versions from 11.1.4 up to, but not including, 12.3.5.
“If updating to a fixed version is not feasible, the vendor has recommended that external user requests containing the ‘x-middleware-subrequest’ header be blocked from reaching your Next.js application,” the NCSC said.
“This should be a temporary measure until updating to the latest version is possible.”
The agency also urged organizations to monitor logs for potential attacks.
Rapid7 explained that, because the CVE in question affects an application framework and that middleware configurations can vary, so does the potential impact of the bug.
“Organizations should consider whether their applications are relying solely on the middleware for authentication,” it said.
“It may be that the application uses middleware, but is just acting as a front end to back-end APIs that are dealing with server-side authentication logic. Bypassing the front-end Next.js middleware would not affect the back end’s ability to authenticate users.”
