## Vulnerability Report

**Name of the Vulnerable Software and Affected Versions:** Next.js versions 11.1.4 through 15.2.2. Patches are available in versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

**Description:**

A critical authorization bypass vulnerability exists in Next.js middleware. An attacker can exploit this flaw by manipulating the `x-middleware-subrequest` header, allowing them to bypass authentication and authorization checks, potentially gaining unauthorized access to sensitive areas of the application. This vulnerability has a CVSS score of 9.1. Exploitation has been observed in the wild.

**Recommendations:**

* Upgrade to Next.js version 12.3.5 or later.

* If upgrading is not immediately possible, implement a workaround to block requests containing the `x-middleware-subrequest` header at the web server or proxy level.

* Review and strengthen authentication and authorization logic within the middleware to ensure robust security.

* Monitor for suspicious activity and unauthorized access attempts.

* Consider using a Web Application Firewall (WAF) to filter malicious requests.