The security researcher responsible disclosure of a vulnerability in Next.js, CVE-2025-29927, allows an attacker to bypass Next.js middleware entirely through middleware header manipulation. The vulnerability works by manipulating the `x-middleware-subrequest` header added by Next.js middleware to track and prevent infinite loops. An attacker can exploit this with a simple curl command, potentially leading to unauthorized access to routes protected by middleware. Developers using Next.js middleware for authorization or other security controls should upgrade immediately, while users on Vercel are protected but still recommended to upgrade. AuthKit NextJS itself does not need to be updated, and layered security is still the best practice. Upgrading to patched versions of Next.js can protect apps properly, and implementing route-level checks with `withAuth` as a defense-in-depth measure is also recommended.