Cybercriminals have begun scanning the web for servers vulnerable to a critical flaw recently discovered in the popular web application framework, Next.js. The security hole, now tracked as CVE-2025-29927, carries a CVSS score of 9.1, marking it a high-risk issue for organizations relying on the framework.
According to security experts at Akamai, the first exploitation attempts surfaced just days after patches became available. This flaw could allow attackers to bypass key security protections in Next.js-powered applications, potentially exposing sensitive data.
Widely adopted by developers, Next.js streamlines web app creation using React and boosts both performance and SEO rankings. However, this critical bug lies in how Next.js processes internal headers through its middleware. Middleware handles crucial tasks like user authentication, authorization, and enforcing security headers.
Specifically, the problem stems from improper validation of the internal ‘x-middleware-subrequest’ header, which carries a predictable value. Hackers can craft malicious requests that mimic this header, effectively tricking the system into bypassing authentication controls.
“When attackers bypass the middleware, the application skips critical security checks like verifying user identity or roles,” Akamai warned. “This opens the door for unauthorized access to restricted or sensitive sections of the app.”
The vulnerability impacts multiple versions of Next.js. Patches were rolled out in versions 15.2.3 and 14.2.25, and backported to 13.5.9 and 12.3.5. Public disclosure came on March 21, a week after these fixes were released. Yet, the attack surface remains wide, as not all projects may have updated.
Rapid7 adds that the real-world risk depends on how developers structured their applications. If authentication is handled solely by Next.js middleware, the impact could be severe. However, apps that push authentication to backend APIs may fare better, as back-end layers could still enforce security checks even if the front-end is compromised.
“Teams need to assess whether their Next.js middleware is the only line of defense,” Rapid7 cautioned. “Bypassing it might not matter if robust server-side authentication is in place.”
At this point, no active exploitation has been confirmed in the wild. However, Akamai revealed that threat actors are already scanning the internet, attempting to locate vulnerable servers. These probing attempts mimic multiple internal subrequests in a single HTTP call, triggering Next.js’s internal redirect logic—a tactic similar to the proof-of-concept (PoC) released by security researchers Rachid and Yasser Allam, who first reported the bug.
Given the growing interest from attackers, security experts urge organizations using Next.js to patch their applications immediately and review their authentication flows.
