Any customer-facing portal, internal tool, or API built on an affected Next.js version could allow unauthorized users to access protected data or functionality without logging in. Depending on what the application handles, this could mean exposure of customer data, internal records, or privileged application features — carrying direct regulatory and reputational consequences. Restoring trust after an unauthorized access incident typically requires breach notification, audit response, and potential regulatory reporting, all of which carry material cost.
You Are Affected If
You run next npm package versions >= 16.0.0 and < 16.2.5 in any production application
Your Next.js application relies on middleware for authentication or authorization enforcement
The affected application is internet-facing or accessible to untrusted users
You have not yet upgraded to next >= 16.2.5 or applied a WAF rule blocking malformed route parameters
Your application exposes dynamic routes (e.g., /dashboard/[id], /api/[resource]) that are protected only at the middleware layer
Board Talking Points
A high-severity flaw in a widely used web development framework could allow unauthorized users to bypass login and access controls on any affected web application we operate.
Engineering teams should upgrade affected applications to the patched version within 24-48 hours; a verified inventory of affected systems is the immediate first step.
If left unpatched, any internet-facing application built on this framework version is a viable target for unauthorized access, with potential data exposure and regulatory notification obligations.
