Critical flaw in Next.js lets hackers bypass authorization

A critical severity vulnerability has been discovered in the Next.js open-source web development framework, potentially allowing attackers to bypass authorization checks. The flaw, tracked as CVE-2025-29927, enables attackers to send requests that reach destination paths without going through critical security checks. Next.js is a popular React framework with more than 9 million weekly downloads on npm. It is used for building full-stack web apps and includes middleware components for authentication and authorization. Front-end and full-stack developers use it to build web apps with React. Some of the more notable companies using it for their sites/apps are TikTok, Twitch, Hulu, Netflix, Uber, and Nike. Authorization bypass In Next.js, middleware components run before a request hits an application routing system and serve purposes like authentication, authorization, logging, error handling, redirecting users, applying geo-blocking or rate limits. To prevent infinite loops where m ... Read full article.