nextjs
Safeguard articles tagged "nextjs" — guides, analysis, and best practices for software supply chain and application security.
6 articles
CVE-2025-29927: inside the Next.js middleware auth bypass
A single spoofed header let attackers skip Next.js middleware entirely — CVSS 9.1, four major versions affected, exploited in the wild within days.
Inside CVE-2025-55182: the React Server Components RCE and how to defend against it
A CVSS 10.0 pre-auth RCE in React Server Components, exploited within 48 hours of disclosure — how the deserialization flaw works and how to mitigate it.
Secure conditional rendering in React and Next.js Server Components
A CVSS 10.0 React Server Components flaw, patched in December 2025, shows why {isAdmin && <Panel/>} isn't access control — the data ships to the client either way.
CVE-2025-29927: Next.js middleware authorization bypass
A spoofable internal header let attackers skip Next.js middleware outright, bypassing auth and route protection across many production deployments.
Next.js Middleware Authorization Bypass: CVE-2025-29927
A critical flaw in Next.js allowed attackers to bypass middleware-based authorization by setting a single HTTP header. Applications relying on middleware for auth checks were completely exposed.
Next.js Security Hardening Guide
Harden your Next.js application with secure headers, API route protection, and server component safety practices.