The Next.js middleware concept is vulnerable to an authorization bypass, allowing external clients to bypass authentication decisions when issuing requests to protected routes. The vulnerability, identified as CVE-2025-29927, affects mainstream Next.js applications running versions 15.x before 15.2.3, 14.x before 14.2.25, and 13.x before 13.5.9. To avoid the critical authorization bypass and other middleware logic circumvention, developers are urged to upgrade and deploy the latest version of Next.js that carries a fix. Cloudflare allows developers to turn on a managed WAF rule as an opt-in workaround, while Vercel and Netlify hosting platforms do not impact applications hosted on their platforms. Fixes or remediation are available through upgrading to fixed versions, applying firewall rules, or deploying to unaffected cloud hosting platforms.