HIGH · CVSS 7.5
CVE-2024-51479 — Next.js authorization bypass via static path rewrite
A path-rewrite issue in Next.js allowed requests to bypass authorization middleware on routes that used `pages/api` + specific rewrite patterns.
Affects
- Next.js 9.5.5 through 14.2.15
What an attacker does
The attacker crafts a URL that Next.js rewrites internally in a way that skips the matched middleware but still hits the API handler. The handler treats the request as already-authorized.
How to detect
Check Next.js version + review `next.config.mjs` for `rewrites()` entries that could bypass `matcher` globs in `middleware.ts`.
How to fix
Upgrade Next.js to 14.2.15+ / 15.1.2+.
How Securie catches it
Securie models your middleware matcher graph and flags routes that bypass auth.