Understanding CVE-2025-29927: The Next.js Middleware Authorization Bypass Vulnerability

Datadog Security Research published an advisory for CVE-2025-29927, a Next.js middleware authorization bypass that lets attackers supply a crafted x-middleware-subrequest header to skip middleware security checks and access protected routes; the advisory lists affected Next.js versions, proof-of-concept details and remediation (upgrade or drop the header), and includes observed scanner IPs and User-Agent indicators.