The following security flaws are disclosed in the React Framework, which could potentially be exploited to bypass approval checks under the following conditions:
The vulnerability tracked as CVE-2025-29927 has a CVSS score of 9.1 out of 10.0.
“Next.JS uses the internal header X-Middleware-SubRequest to prevent recursive requests from triggering infinite loops,” Next.JS said in its advisory.
“We were able to skip running middleware. This allows requests to skip important checks, such as cookie verification, before reaching the route.”
The drawbacks are explained in versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. If the patch is not an option, we recommend preventing external user requests that include the X-Middleware-SubRequest header reaching the Next.js application.
Security researcher Rachid Allam (aka Zhero and Cold-Try) has been approved for discovering and reporting the defect, and has since published additional technical details of the defect, making it essential for users to move quickly to apply the fix.
“The vulnerability allows an attacker to easily bypass permission checks performed in the next.js middleware, allowing an attacker to access sensitive web pages reserved for administrators and other highly privileged users,” says JFrog.
The company also said host websites that utilize middleware to approve users without additional approval checks are vulnerable to CVE-2025-29927, allowing attackers to otherwise access unauthorized resources (such as admin pages).
Source link
