\r\n On March 21, 2025, a new critical authorization bypass vulnerability in Next.js  with a CVSS score of 9.1 was assigned CVE‑2025‑29927 and made public. This vulnerability allows attackers to bypass authentication and authorization checks by exploiting a flaw in the framework’s middleware handling, leaving sensitive routes open to unauthorized access. \r\n \r\n The vulnerability can be exploited without authentication, granting unauthorized access to protected routes. \r\n \r\n The Akamai Security Intelligence Group (SIG) has seen initial exploit attempts probing potential servers for this vulnerability. \r\n \r\n In this blog post, Akamai researchers provide in-depth details about the vulnerability,  exploitation techniques, and detection strategies.…