A security vulnerability in Next.js was responsibly disclosed, which allows malicious actors to bypass authorization in Middleware when targeting the x-middleware-subrequest header.
Vercel customers are not affected. We still recommend updating to the patched versions. Learn more about CVE-2025-29927.