Next.js Middleware Bypass

Description

Next.js contains a critical middleware bypass vulnerability affecting versions 11.1.4 through 15.2.2. The vulnerability allows attackers to bypass middleware security controls by sending a specially crafted 'x-middleware-subrequest' header, which can lead to authorization bypass and other security control circumvention.

Remediation

Upgrade to Next.js 14.2.25 or 15.2.3 or later. If upgrading is not possible, block the x-middleware-subrequest header at the WAF or server level.

Try Deep Scan Version

Give your DevOps team the freedom to innovate and create outstanding products without being held back by security concerns.