Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

TikTok, Netflix and more could be exposed by Next.js auth bypass

CVE-2025-29927 allows attackers to skip middleware checks by spoofing a single HTTP header.

byKerem Gülen
March 25, 2025
in Cybersecurity, News

A critical vulnerability in the Next.js web development framework could let hackers bypass authorization checks. Tracked as CVE-2025-29927, the flaw allows attackers to send requests directly to destination paths, skipping crucial security protocols.

Next.js, a widely-used React framework with over 9 million weekly npm downloads, is favored by developers for constructing full-stack web applications. Companies like TikTok, Twitch, Hulu, Netflix, Uber, and Nike use the framework for their sites and apps.

Middleware components in Next.js handle tasks like authentication, authorization, logging, and redirecting users before a request reaches the application routing system. To avoid infinite loops, Next.js employs an ‘x-middleware-subrequest’ header, which determines whether middleware functions should be applied.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

The ‘runMiddleware’ function checks for this header. If detected with a specific value, it bypasses the entire middleware execution, forwarding the request directly to its destination. An attacker can exploit this by manually sending a request with the correct header value.

Researchers Allam Rachid and Allam Yasser (inzo_), who identified the vulnerability, stated that “the header and its value act as a universal key allowing rules to be overridden.”

The security issue affects all Next.js versions before 15.2.3, 14.2.25, 13.5.9, and 12.3.5. Users should upgrade immediately, as technical details for exploiting the vulnerability are now public.

Next.js’ security bulletin specifies that CVE-2025-29927 only affects self-hosted versions using ‘next start’ with ‘output: standalone.’ Apps hosted on Vercel and Netlify, or those deployed as static exports, are not impacted.

Environments where middleware is utilized for authorization or security checks without subsequent validation in the application is at risk.

If patching is not immediately feasible, the suggested course of action is to block any external user requests which include the ‘x-middleware-subrequest’ header.


Featured image credit

Tags: Netflixtiktok

Related Posts

OpenAI adds scheduling powers to ChatGPT with new Tasks feature

OpenAI adds scheduling powers to ChatGPT with new Tasks feature

October 27, 2025
Instagram adds watch history for Reels on Android and iOS

Instagram adds watch history for Reels on Android and iOS

October 27, 2025
Huawei: Quad-foldable phone is possible in 2026

Huawei: Quad-foldable phone is possible in 2026

October 27, 2025
Watch: SpaceX launches 84 more Starlink satellites in three Falcon 9 missions over 4 days

Watch: SpaceX launches 84 more Starlink satellites in three Falcon 9 missions over 4 days

October 27, 2025
Mistral AI takes on Google with enterprise AI Studio

Mistral AI takes on Google with enterprise AI Studio

October 27, 2025
Gemini can now generate full presentations from text or files

Gemini can now generate full presentations from text or files

October 27, 2025

LATEST NEWS

OpenAI adds scheduling powers to ChatGPT with new Tasks feature

Instagram adds watch history for Reels on Android and iOS

Huawei: Quad-foldable phone is possible in 2026

Watch: SpaceX launches 84 more Starlink satellites in three Falcon 9 missions over 4 days

Mistral AI takes on Google with enterprise AI Studio

Gemini can now generate full presentations from text or files

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.