Critical Security Flaw Discovered in React Next.js Framework

A critical security flaw has been discovered in the React Next.js framework, potentially allowing attackers to bypass authorization checks under certain conditions. This vulnerability, referenced under the number CVE-2025-29927, has a CVSS score of 9.1 out of 10.0. Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops.