How One Header Broke Next.js Auth — CVE-2025–29927
This vulnerability lets attackers bypass middleware-based authorization by injecting the x-middleware-subrequest header, allowing them to skip authentication checks and access restricted areas of the application.
Read on Medium