Vercel Next.js
Easy fix3 remedies
cpe:2.3:a:vercel:next.js:*:*:*:*:node.js:*:*
Easy fix3 remedies
- >= 15.4.0, < 15.5.16
- >= 16.0.0, < 16.2.5
Next.js Authorization Bypass Vulnerability in Middleware for Dynamic Routes
Vulnerability
Patched
A vulnerability allowing authorization bypass has been identified in Next.js versions 15.4.0 prior to 15.5.16 and 16.0.0 prior to 16.2.5. This issue arises in applications that use middleware to protect dynamic routes. In affected deployments, specially crafted query parameters can manipulate the dynamic route value perceived by the page, while keeping the visible path unchanged. This manipulation can enable protected content to be displayed without undergoing the necessary middleware verification.
Impact
Exploitation of this vulnerability can lead to unauthorized access to protected content by bypassing middleware checks on dynamic routes.
Remediation
Users can upgrade to Next.js versions 15.5.16 or 16.2.5 to address this vulnerability. If an immediate upgrade is not possible, it is recommended to enforce authorization within route or page logic, rather than relying solely on middleware path matching.
Added: May 13, 2026, 7:59 PM
Updated: May 13, 2026, 7:59 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
0.6exploitability
6.8remediation
8.3relevance
8.2threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.