Next.js just had one of the most critical vulnerabilities in its history – a middleware authorization bypass rated 9.1 in severity. In this video, we break down how a simple HTTP header (x-middleware-subrequest) allowed unauthenticated users to access protected routes, why it worked, and how it got patched in version 15.2.3.
We’ll also explore the real-world implications, why relying solely on middleware isn't enough, and the public backlash from CEOs of companies like Replit and Cloudflare. Whether you think this was overblown or a serious oversight, here’s everything you need to know.
🔗 Relevant Links
Next.js Disclosure: https://nextjs.org/blog/cve-2025-29927
GitHub CVE: https://github.com/advisories/GHSA-f8...
Vulnerability Finder Blog: https://zhero-web-sec.github.io/resea...
❤️ More about us
Radically better observability stack: https://betterstack.com/
Written tutorials: https://betterstack.com/community/
Example projects: https://github.com/BetterStackHQ
📱 Socials
Twitter: / betterstackhq
Instagram: / betterstackhq
TikTok: / betterstack
LinkedIn: / betterstack
