First published: 25 Mar 2025
Last updated: 25 Mar 2025

Content written for

Small & medium business
Large organisations & infrastructure
Government

This alert is relevant to Australian organisations who utilise affected Next.js versions. This alert is intended to be understood by technical users. 

Customers are encouraged to upgrade to the latest version of Next.js, as detailed in the Next.Js Advisory.

Background / What has happened?

  • Next.js has published an advisory detailing a vulnerability that could allow a remote attacker to bypass security checks, including many forms of authentication.
  • Self-hosted Next.js applications using middleware ("next start" with "output:standalone") are affected.
  • Next.js uses an internal header (x-middleware-subrequest) to prevent recursive requests from triggering infinite loops.
  • It is possible to skip running middleware, which could allow requests to skip critical checks, such as authorisation cookie validation before reaching routes.
  • Affected versions/applications:
    • Next.js 15.x versions prior to 15.2.3
    • Next.js 14.x versions prior to 14.2.25
    • Next.js 13.x versions prior to 13.5.9
    • Next.js 12.x versions prior to 12.3.5

Mitigation / How do I stay secure?

The ASD’s ACSC recommends individuals, business, organisations and government entities to:

  • Follow Next.js advice for affected versions.
  • All self-hosted Next.js deployments should consider updating immediately.

Further information and details to investigate potential compromise can be found in the Next.js Security release.

Assistance / Where can I go for help?

Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).

Was this helpful?
Yes this was helpful
No this was not helpful

Thanks for your feedback!

We welcome additional feedback below.

Was this information easy to understand?
Will you take action after reading this?
Did you find the information you were looking for?
Did the design and layout of this page meet your expectations?