Next.js Fixes Critical Middleware Vulnerability in Version 15.2.3
Next.js has released version 15.2.3 to patch a critical security flaw (CVE-2025-29927) affecting self-hosted deployments using 'next start' with output: 'standalone'. The issue, disclosed on February 27, allowed attackers to bypass Middleware logic, potentially skipping authorization checks and other security-critical processes.
The vulnerability stems from the misuse of the internal 'x-middleware-subrequest' header, which could be manipulated to prevent Middleware execution. While deployments on Vercel, Netlify, or static exports remain unaffected, any self-hosted applications relying on Middleware for authentication are at risk.
Patches are now available for versions 12 through 15. Users are urged to upgrade immediately to the latest fixed versions: 12.3.5, 13.5.9, 14.2.25, or 15.2.3. If patching isn't feasible, developers should block external requests containing the `x-middleware-subrequest` header. Follow this link to know more.
Source Reference
ASK: Drupal Community Needs Your Support
View all →
Disclosure: This content is produced with the assistance of AI.
Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.
Related Organizations
