The Australian Cyber Security Centre is advising users of certain Next.js versions to upgrade to the latest version after the company issued an advisory detailing a vulnerability that could allow a remote attacker to bypass security checks, including many forms of authentication.
Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops. A security report showed it was possible to skip running Middleware, which could allow requests to skip critical checks, such as authorisation cookie validation, before reaching routes.
Affected are Self-hosted Next.js applications using Middleware (next start with output: standalone); users who rely on Middleware for auth or security checks, which are not then validated later in your application; and applications using Cloudflare can turn on a Managed WAF rule.
Not affected are applications hosted on Vercel, applications hosted on Netlify, and applications deployed as static exports (Middleware not executed).
For Next.js 15.x, this issue is fixed in 15.2.3. For Next.js 14.x, this issue is fixed in 14.2.25. For Next.js 13.x, this issue is fixed in 13.5.9, and for Next.js 12.x, this issue is fixed in 12.3.5
If patching to a safe version is infeasible, it is recommended that you prevent external user requests which contains the x-middleware-subrequest header from reaching your Next.js application.
