A essential safety flaw has been disclosed within the Subsequent.js React framework that might be doubtlessly exploited to bypass authorization checks underneath sure situations.
The vulnerability, tracked as CVE-2025-29927, carries a CVSS rating of 9.1 out of 10.0.
“Subsequent.js makes use of an inner header x-middleware-subrequest to stop recursive requests from triggering infinite loops,” Subsequent.js said in an advisory.
“It was attainable to skip operating middleware, which might enable requests to skip essential checks—similar to authorization cookie validation—earlier than reaching routes.”
The shortcoming has been addressed in variations 12.3.5, 13.5.9, 14.2.25, and 15.2.3. If patching will not be an possibility, it is really helpful that customers stop exterior person requests that include the x-middleware-subrequest header from reaching the Subsequent.js utility.
Safety researcher Rachid Allam (aka zhero and cold-try), who’s credited with discovering and reporting the flaw, has since printed additional technical details of the flaw, making it crucial that customers transfer rapidly to use the fixes.
“The vulnerability permits attackers to simply bypass authorization checks carried out in Subsequent.js middleware, doubtlessly permitting attackers entry to delicate net pages reserved for admins or different high-privileged customers,” JFrog said.
The corporate additionally stated any host web site that makes use of middleware to authorize customers with none further authorization checks is weak to CVE-2025-29927, doubtlessly enabling attackers to entry in any other case unauthorized assets (e.g., admin pages).
