Next.js Pages Router Middleware Bypass Vulnerability in Internationalized Applications

A vulnerability exists in Next.js applications using the Pages Router with internationalization (i18n) configured, along with middleware or proxy-based authorization. In these applications, unauthorized access to protected page data can be gained through locale-less data requests. The issue arises because middleware does not execute for the unprefixed data route, allowing attackers to obtain server-side rendered JSON for protected pages without the necessary authorization. This vulnerability affects Next.js versions 12.2.0 prior to 15.5.16 and 16.0.0 prior to 16.2.5.

Impact

Exploitation of this vulnerability allows unauthorized access to protected page data, bypassing intended authorization checks and potentially exposing sensitive information.

Remediation

Users can upgrade to Next.js versions 15.5.16 or 16.2.5 to address this vulnerability. If an immediate upgrade is not possible, authorization should be enforced in the page's server-side data path instead of relying solely on middleware.