Critical Middleware Vulnerability in Next.js (CVE-2025-29927) | UpGuard

**CVE-2025-29927 (CVSS 9.1)**: A critical Next.js vulnerability enables authorization middleware bypass via a crafted `x-middleware-subrequest` header in self-hosted Next.js 11.1.4–15.2.2 when run with `next start` and `standalone` output; upgrade to patched releases (15.2.3, 14.2.25, 13.5.9, 12.3.5), or mitigate by removing the header at proxies and adding server-side authorization checks.