Next.js versions 15.2.0 to before 15.5.16 and 16.0.0 to before 16.2.5 contain an authentication bypass vulnerability (CWE-288) in App Router applications relying on middleware or proxy-based authorization. The vulnerability occurs because transport-specific route variants used for segment prefetching (.rsc and segment-prefetch URLs) can resolve to the same page without triggering the expected middleware authorization checks. This allows unauthorized users to access protected content by exploiting alternate URL paths. The issue is addressed in versions 15.5.16 and 16.2.5.

An attacker can bypass authorization checks and access protected content without proper authentication. The vulnerability does not affect data integrity or availability but compromises confidentiality by allowing unauthorized read access. The CVSS 3.1 base score is 7.5 (high severity), reflecting network attack vector, low complexity, no privileges required, no user interaction, and high confidentiality impact.

Upgrade Next.js to version 15.5.16 or later, or 16.2.5 or later, where this vulnerability is fixed. Since no official patch links or vendor advisory text is provided, patch status is inferred from the version information in the description. Patch status is considered confirmed fixed in these versions. No additional mitigation steps are indicated.