Researchers raise alarm about critical Next.js vulnerability – CyberScoop
Researchers warn that attackers could exploit a recently discovered critical vulnerability in the open-source JavaScript framework Next.js to bypass authorization in middleware and gain access to targeted systems.
Vercel, the San Francisco-based company that created and maintains Next.js, released a patch for CVE-2025-29927 in Next.js 15.2.3 on March 18 and published a security advisory on March 21. Researchers Allam Rachid and Allam Yasser discovered the vulnerability, which has a base score of 9.1 on the CVSS scale, and reported it to Vercel on Feb. 27.
Next.js, initially released in late 2016, is widely used among developers and currently downloaded more than 9 million times per week. The vulnerability affects Next.js applications using middleware for authorization or security checks.
“We are not aware of any active exploits,” Vercel CISO Ty Sbano told CyberScoop in an email. “If someone hosts a Next.js application outside of Vercel, we would not have visibility into runtime or their analytics. Platforms like Vercel and Netlify were not affected.”
Vercel doesn’t know how many Next.js applications are running on self-hosted infrastructure.
The way attackers could take advantage of the flaw lies in an improper authentication defect. By using a simple token or piece of code to trick the system, it could allow an attacker to bypass security checks meant to control access and reach parts of the application that should be restricted, Rachid explained in a blog post about his discovery and research.
Rachid also demonstrated how the vulnerability can be exploited to achieve content security bypass and denial-of-service cache poisoning.
“This vulnerability has been present for several years in the Next.js source code, evolving with the middleware and its changes over the versions,” Rachid wrote in the blog post. “A critical vulnerability can occur in any software, but when it affects one of the most popular frameworks, it becomes particularly dangerous and can have severe consequences for the broader ecosystem.”
Concerns regarding Vercel’s response to the vulnerability and delayed disclosure linger. The company published a security advisory Friday, three days after it released a patched version of Next.js, and published a changelog and blog post about the matter Saturday.
“There has been understandable concern that our communication with partners during this incident did not meet our typical standards,” Sbano said.
“While our teams had verified the issue did not impact most infrastructure platforms, we failed to proactively share that context quickly enough,” he continued. “We’re already working on ways we can improve how we share information moving forward.”
The post Researchers raise alarm about critical Next.js vulnerability appeared first on CyberScoop.
–
Read More – CyberScoop