Skip to main content
Advertisement
Advertisement
Nominations can be submitted for the 2025 CyberScoop 50 awards!
Click here!
Close
Cybersecurity
The software defect in the widely used open-source JavaScript framework allows attackers to bypass middleware-based authorization.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
(Getty Images)
Researchers warn that attackers could exploit a recently discovered critical vulnerability in the open-source JavaScript framework Next.js to bypass authorization in middleware and gain access to targeted systems.
Vercel, the San Francisco-based company that created and maintains Next.js, released a patch for CVE-2025-29927 in Next.js 15.2.3 on March 18 and published a security advisory on March 21. Researchers Allam Rachid and Allam Yasser discovered the vulnerability, which has a base score of 9.1 on the CVSS scale, and reported it to Vercel on Feb. 27.
Next.js, initially released in late 2016, is widely used among developers and currently downloaded more than 9 million times per week. The vulnerability affects Next.js applications using middleware for authorization or security checks.
“We are not aware of any active exploits,” Vercel CISO Ty Sbano told CyberScoop in an email. “If someone hosts a Next.js application outside of Vercel, we would not have visibility into runtime or their analytics. Platforms like Vercel and Netlify were not affected.”
Advertisement
Vercel doesn’t know how many Next.js applications are running on self-hosted infrastructure.
The way attackers could take advantage of the flaw lies in an improper authentication defect. By using a simple token or piece of code to trick the system, it could allow an attacker to bypass security checks meant to control access and reach parts of the application that should be restricted, Rachid explained in a blog post about his discovery and research.
Rachid also demonstrated how the vulnerability can be exploited to achieve content security bypass and denial-of-service cache poisoning.
“This vulnerability has been present for several years in the Next.js source code, evolving with the middleware and its changes over the versions,” Rachid wrote in the blog post. “A critical vulnerability can occur in any software, but when it affects one of the most popular frameworks, it becomes particularly dangerous and can have severe consequences for the broader ecosystem.”
Concerns regarding Vercel’s response to the vulnerability and delayed disclosure linger. The company published a security advisory Friday, three days after it released a patched version of Next.js, and published a changelog and blog post about the matter Saturday.
Advertisement
“There has been understandable concern that our communication with partners during this incident did not meet our typical standards,” Sbano said.
“While our teams had verified the issue did not impact most infrastructure platforms, we failed to proactively share that context quickly enough,” he continued. “We’re already working on ways we can improve how we share information moving forward.”
Matt Kapko
Written by Matt Kapko
Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University.
In This Story
Advertisement
Advertisement
Advertisement
Latest Podcasts
Government
Technology
Advertisement
Continue to CyberScoop