On March 21st, 2025, a critical vulnerability named CVE-2025-29927 was discovered in Next.js, affecting versions 11.1.4 to 15.2.2, which can lead to authorization bypass and potentially cache poisoning and denial of service. This flaw is primarily exploitable when a Next.js server employs middleware that inadequately handles requests with the custom x-middleware-subrequest header, allowing attackers to bypass authorization checks by including this header in their HTTP requests. The vulnerability arises due to inconsistent processing of these headers, enabling unauthorized access to protected resources. Mitigation strategies include upgrading Next.js to fixed versions, removing the vulnerable header via web server configurations, or using a Web Application Firewall. Additionally, tools like JFrog Xray and JFrog Advanced Security offer mechanisms to identify and assess vulnerabilities related to this issue across codebases and deployments, ensuring that Next.js instances using middleware are correctly secured against CVE-2025-29927 exploits.