Vercel Next.js App Router Middleware Bypass Vulnerability

A vulnerability exists in Vercel Next.js versions 15.2.0 prior to 15.5.16 and 16.0.0 prior to 16.2.5, allowing unauthorized access in App Router applications that depend on middleware or proxy-based authorization checks. The issue arises from transport-specific route variants used for segment prefetching, which can bypass intended middleware rules. In affected setups, specially crafted .rsc and segment-prefetch URLs may resolve to the same page without triggering the necessary authorization checks, potentially exposing protected content.

Impact

Exploitation of this vulnerability can lead to unauthorized access to protected content, bypassing the expected authorization checks.

Remediation

Users can upgrade to Next.js versions 15.5.16 or 16.2.5 to address this vulnerability. If an immediate upgrade is not possible, authorization can be enforced in the underlying route or page logic instead of relying solely on middleware.