Latest Next.js vulnerabilities #

On March 22nd, 2025, Next.js disclosed an authentication bypass vulnerability in the middleware layer. Exploitation is trivial and can be achieved by sending an extra HTTP header. For specifics, please see the research paper.

What is the impact? #

Successful exploitation of this vulnerability would allow a remote attacker to bypass security checks implemented in the middleware layer, including many forms of authentication.

Are updates or workarounds available? #

Next.js recommends that customers upgrade to 15.2.3 or 14.2.25. For users that cannot upgrade they recommend filtering the `x-middleware-subrequest` header from requests before they reach the application (case insensitive).

How to find Next.js installations with runZero #

From the Service Inventory, use the following query to locate assets running any version of Next.js

_asset.protocol:http AND protocol:http AND (has:http.head.xPoweredBy AND http.head.xPoweredBy:="Next.js")

A slower, but more comprehensive Service Inventory query:

_asset.protocol:http AND protocol:http AND (
http.head.xPoweredBy:="Next.js" OR
http.head.vary:"Next-Router" OR
has:http.head.xNextjsCache OR
http.body:"/_next/static/"
)

Written by HD Moore

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More about HD Moore
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more runZero

Product
Announcing runZero 5.0: Exposure management built to outpace AI-driven attacks
When you're up against AI, every minute counts. Get deep, actionable intelligence across your entire attack surface to close the gaps and hold the...
Product Videos
runZero 5.0: Platform Demo
With the new 5.0 release, runZero is giving defenders the edge they need to succeed in the AI-attack era.
runZero Perspective
BOD 26-04: A new era of prioritized remediation
A complete breakdown of CISA's BOD 26-04 directive. Learn how the shift to SSVC, risk-based KEV prioritization, and 3-day remediation impacts your...
runZero Perspective
Dawn of the apex agentic adversary
When agentic AI can weaponize exploits in seconds, visibility is everything. Stop the predator with runZero’s exposure management for the AI-attack...
Webcasts
runZero Hour, Ep. 32: AI-pocalypse now? Why the 2026 DBIR is actually good news
In this episode of runZero Hour, Tod Beardsley, Brianna Cluck, and Verizon's Alex Pinto broke down 2026 DBIR trends, AI threats, and runZero 5.0.
Podcasts
The shadow era AI, exploits, and cybersecurity's 90s comeback
HD Moore explains how AI is turning hacking back to the 90s, generating permanent exploit skeleton keys and breaking traditional defense.
Talks
Identifying exposures at scale with BloodHound OpenGraph
Traditional exposure management misses hidden attack paths. Learn how BloodHound and Cypher queries can uncover vulnerabilities beyond individual...
Podcasts
When is a vulnerability not a vulnerability?
Attackers care about outcomes, not CVEs. Tod Beardsley joins Distilled Security to discuss reframing risk from checklist compliance to adversary...

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.