beforemerge-nextjs-review

This advisory correctly highlights a high-severity design and framework vulnerability: Next.js middleware can be bypassed via an internal header (CVE-2025-29927), so middleware must not be the sole security boundary. Applications that rely only on middleware for auth/authorization are at high risk of complete authentication bypass and destructive unauthorized actions. Recommended mitigations: implement authoritative auth/authorization checks inside every route handler and Server Action, strip internal headers at proxies if self-hosting, and scan codebases for handlers that lack explicit auth checks.