Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

TikTok, Netflix and more could be exposed by Next.js auth bypass

CVE-2025-29927 allows attackers to skip middleware checks by spoofing a single HTTP header.

byKerem Gülen
March 25, 2025
in Cybersecurity, News

A critical vulnerability in the Next.js web development framework could let hackers bypass authorization checks. Tracked as CVE-2025-29927, the flaw allows attackers to send requests directly to destination paths, skipping crucial security protocols.

Next.js, a widely-used React framework with over 9 million weekly npm downloads, is favored by developers for constructing full-stack web applications. Companies like TikTok, Twitch, Hulu, Netflix, Uber, and Nike use the framework for their sites and apps.

Middleware components in Next.js handle tasks like authentication, authorization, logging, and redirecting users before a request reaches the application routing system. To avoid infinite loops, Next.js employs an ‘x-middleware-subrequest’ header, which determines whether middleware functions should be applied.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

The ‘runMiddleware’ function checks for this header. If detected with a specific value, it bypasses the entire middleware execution, forwarding the request directly to its destination. An attacker can exploit this by manually sending a request with the correct header value.

Researchers Allam Rachid and Allam Yasser (inzo_), who identified the vulnerability, stated that “the header and its value act as a universal key allowing rules to be overridden.”

The security issue affects all Next.js versions before 15.2.3, 14.2.25, 13.5.9, and 12.3.5. Users should upgrade immediately, as technical details for exploiting the vulnerability are now public.

Next.js’ security bulletin specifies that CVE-2025-29927 only affects self-hosted versions using ‘next start’ with ‘output: standalone.’ Apps hosted on Vercel and Netlify, or those deployed as static exports, are not impacted.

Environments where middleware is utilized for authorization or security checks without subsequent validation in the application is at risk.

If patching is not immediately feasible, the suggested course of action is to block any external user requests which include the ‘x-middleware-subrequest’ header.


Featured image credit

Tags: Netflixtiktok

Related Posts

ChatGPT reportedly reduces reliance on Reddit as a data source

ChatGPT reportedly reduces reliance on Reddit as a data source

October 3, 2025
Perplexity makes Comet AI browser free, launches background assistant and Chess.com partnership

Perplexity makes Comet AI browser free, launches background assistant and Chess.com partnership

October 3, 2025
Light-powered chip makes AI computation 100 times more efficient

Light-powered chip makes AI computation 100 times more efficient

October 3, 2025
Free and effective anti-robocall tools are now available

Free and effective anti-robocall tools are now available

October 3, 2025
Choosing the right Web3 server: OVHcloud options for startups to enterprises

Choosing the right Web3 server: OVHcloud options for startups to enterprises

October 3, 2025
Z.AI GLM-4.6 boosts context window to 200K tokens

Z.AI GLM-4.6 boosts context window to 200K tokens

October 2, 2025

LATEST NEWS

ChatGPT reportedly reduces reliance on Reddit as a data source

Perplexity makes Comet AI browser free, launches background assistant and Chess.com partnership

Light-powered chip makes AI computation 100 times more efficient

Free and effective anti-robocall tools are now available

Choosing the right Web3 server: OVHcloud options for startups to enterprises

Z.AI GLM-4.6 boosts context window to 200K tokens

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.