Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks

A critical security flaw in Next.js, CVE-2025-29927, allows attackers to bypass authorization checks by manipulating the x-middleware-subrequest header. The vulnerability has been patched in versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3.