The first attempts to exploit a critical-severity vulnerability in Next.js have been observed less than a week after patches were released, Akamai reports.
Next.js is a React framework used to build web applications. It allows developers to decrease site loading times and improve search engine optimization (SEO).
Tracked as CVE-2025-29927 (CVSS score of 9.1), the critical-severity flaw was publicly disclosed on March 21, one week after patches were rolled out in Next.js versions 15.2.3 and 14.2.25. The fixes were also included in Next.js versions 13.5.9 and 12.3.5, which were released over the weekend.
Next.js relies on middleware for processing HTTP requests. Middleware is also responsible for authentication, authorization, and setting security headers, and the internal header ‘x-middleware-subrequest’ is used to manage these processes and prevent infinite loops.
The improper validation of the internal header, which has a predictable value, allows an attacker to send crafted requests mimicking the header and bypass authentication checks within a Next.js application.
“When the middleware is bypassed, the app does not perform its normal security routines, such as identity or role verification, leading to potential unauthorized access to sensitive or restricted parts of the application,” Akamai explains, warning that the security defect can be exploited without authentication.
While multiple versions of Next.js are impacted, exploitation methods vary by version. According to Rapid7, the potential impact of the flaw varies by application, depending on middleware configuration and on the application’s purpose.
“Organizations should consider whether their applications are relying solely on the middleware for authentication. It may be that the application uses middleware, but is just acting as a front end to back-end APIs that are dealing with server-side authentication logic. Bypassing the front-end Next.js middleware would not affect the back-end’s ability to authenticate users,” Rapid7 notes.
While the cybersecurity firm says it is not aware of CVE-2025-29927 being exploited in the wild, Akamai notes that threat actors are already probing the internet for servers impacted by the bug.
The observed attacks, Akamai notes, simulate “multiple internal subrequests within a single request, triggering Next.js’s internal redirect logic”, and closely resemble proof-of-concept (PoC) code that Rachid and Yasser Allam, who were credited for reporting the flaw, published alongside technical information on the bug.
Related: CISA Warns of Exploited Nakivo Vulnerability
Related: Paragon Spyware Attacks Exploited WhatsApp Zero-Day
Related: Unpatched Edimax Camera Flaw Exploited Since at Least May 2024
Related: Newly Patched Windows Zero-Day Exploited for Two Years
