Description
Next.js contains a critical middleware bypass vulnerability affecting versions 11.1.4 through 15.2.2.
The vulnerability allows attackers to bypass middleware security controls by sending a specially crafted
'x-middleware-subrequest' header, which can lead to authorization bypass and other security control circumvention.
Remediation
Upgrade to Next.js 14.2.25 or 15.2.3 or later.
If upgrading is not possible, block the x-middleware-subrequest header at the WAF or server level.