A significant security weakness has been revealed in the Next.js React framework that may be taken advantage of to circumvent authorization validations under specific circumstances.
The flaw, recorded as CVE-2025-29927, holds a CVSS score of 9.1 out of 10.0.
“Next.js employs an internal header x-middleware-subrequest to stop recursive requests from causing endless loops,” stated Next.js in an