Techly NewsGet the app

Get the latest tech news

Next.js and the corrupt middleware: the authorizing artifact


CVE-2025-29927

We discussed potential targets and chose to begin by focusing on Next.js( 130K stars on github, currently downloaded + 9,4 million times per week), a framework I know quite well and with which I already have fond memories, as evidenced by my previous work. As a great man once said, talk is cheap, show me the bug, let’s avoid the excess storytelling and get straight to the point; while browsing an older version of the framework (v12.0.7), we came across this piece of code: Versions prior to 12.2 allowed nested routes to place one or more_middleware files anywhere in the tree (starting from the pages folder) and had an execution order, as we can see in this screenshot of the old documentation retrieved from the good old web archive:

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Next.js

Next.js

Photo of corrupt middleware

corrupt middleware

Photo of authorizing artifact

authorizing artifact

Related news:

News photo

Next.js version 15.2.3 has been released to address a security vulnerability

News photo

How much traffic can a pre-rendered Next.js site handle?

News photo

You don't need Next.js – Why we migrated from Next to React

« The SeL4 Microkernel: An Introduction [pdf]
Unknown microorganisms used marble and limestone as a habitat »