“Arbisoft is an integral part of our team and we probably wouldn't be here today without them. Some of their team has worked with us for 5-8 years and we've built a trusted business relationship. We share successes together.”
“They delivered a high-quality product and their customer service was excellent. We’ve had other teams approach us, asking to use it for their own projects”.
“Arbisoft has been a valued partner to edX since 2013. We work with their engineers day in and day out to advance the Open edX platform and support our learners across the world.”
81.8% NPS78% of our clients believe that Arbisoft is better than most other providers they have worked with.
Arbisoft is your one-stop shop when it comes to your eLearning needs. Our Ed-tech services are designed to improve the learning experience and simplify educational operations.
“Arbisoft has been a valued partner to edX since 2013. We work with their engineers day in and day out to advance the Open edX platform and support our learners across the world.”
Get cutting-edge travel tech solutions that cater to your users’ every need. We have been employing the latest technology to build custom travel solutions for our clients since 2007.
“Arbisoft has been my most trusted technology partner for now over 15 years. Arbisoft has very unique methods of recruiting and training, and the results demonstrate that. They have great teams, great positive attitudes and great communication.”
As a long-time contributor to the healthcare industry, we have been at the forefront of developing custom healthcare technology solutions that have benefitted millions.
I wanted to tell you how much I appreciate the work you and your team have been doing of all the overseas teams I've worked with, yours is the most communicative, most responsive and most talented.
We take pride in meeting the most complex needs of our clients and developing stellar fintech solutions that deliver the greatest value in every aspect.
“Arbisoft is an integral part of our team and we probably wouldn't be here today without them. Some of their team has worked with us for 5-8 years and we've built a trusted business relationship. We share successes together.”
Unlock innovative solutions for your e-commerce business with Arbisoft’s seasoned workforce. Reach out to us with your needs and let’s get to work!
The development team at Arbisoft is very skilled and proactive. They communicate well, raise concerns when they think a development approach wont work and go out of their way to ensure client needs are met.
Arbisoft is a holistic technology partner, adept at tailoring solutions that cater to business needs across industries. Partner with us to go from conception to completion!
“The app has generated significant revenue and received industry awards, which is attributed to Arbisoft’s work. Team members are proactive, collaborative, and responsive”.
“Arbisoft partnered with Travelliance (TVA) to develop Accounting, Reporting, & Operations solutions. We helped cut downtime to zero, providing 24/7 support, and making sure their database of 7 million users functions smoothly.”
“I couldn’t be more pleased with the Arbisoft team. Their engineering product is top-notch, as is their client relations and account management. From the beginning, they felt like members of our own team—true partners rather than vendors.”
Arbisoft was an invaluable partner in developing TripScanner, as they served as my outsourced website and software development team. Arbisoft did an incredible job, building TripScanner end-to-end, and completing the project on time and within budget at a fraction of the cost of a US-based developer.
On Friday, March 21, a serious security issue called CVE-2025-29927 was found in Next.js, a popular tool for building websites. This issue, which has a severity rating of 9.1 out of 10, allows hackers to bypass security and access restricted parts of websites without permission. It affects Next.js versions 11.1.4 to 15.2.2, causing major concerns among developers and businesses using this tool.
So, What Was the Security Problem?
The security problem in Next.js allowed attackers to trick the system and access parts of a website they shouldn’t be able to. This happened due to a weakness in how Next.js middleware handled authentication and request checking.
Middleware helps process user requests before they reach the main website, often verifying if a user is logged in or allowed to see certain pages. Because of this flaw, hackers could send special requests that fooled the system into letting them through. This could expose private data, restricted pages, and even admin controls to unauthorized users.
Why Is This Security Flaw Dangerous?
Next.js middleware is widely used to check user permissions and ensure security. However, due to this flaw, hackers can send a specific request with a special header (x-middleware-subrequest) to skip security checks. This could let them enter admin panels, view sensitive user data, or control website features without proper access.
This flaw is especially dangerous because many developers rely on Next.js middleware for security. If websites are not updated, they remain at risk of data leaks, hacks, and unauthorized access.
How Was This Issue Discovered?
Security experts and developers regularly check for weaknesses in software frameworks. This flaw was identified when security researchers tested Next.js authentication and found that certain requests could bypass login checks. After confirming the issue, they reported it to Vercel, the company behind Next.js, which quickly worked on fixing it.
What Should You Do? Is There a Fix?
Yes, the Next.js team has released updates to fix this issue. If you use Next.js, update immediately to one of these safe versions:
Next.js 15.x: Fixed in 15.2.3
Next.js 14.x: Fixed in 14.2.25
Next.js 13.x: Fixed in 13.5.9
Next.js 12.x: Fixed in 12.3.5
If updating is not possible right away, you can use a temporary fix by blocking requests that contain the x-middleware-subrequest header in your server settings or firewall rules.
What Are the Long-Term Effects of This Security Issue?
This security flaw could have long-term effects on developers, businesses, and the entire web development industry. Security problems happen in all software tools, but this one was serious enough to make people question how safe Next.js really is. Here’s what could happen next:
1. Developers May Stop Trusting Next.js for Secure Projects
When a security flaw this serious is found, it raises a tough question: Can Next.js be trusted for projects where security is critical? Many developers rely on it to build financial applications, healthcare platforms, and business tools, industries where even a small security risk can cause huge problems.
This issue highlights a bigger concern: Was security ever a top priority for Next.js? If a flaw this severe went unnoticed for so long, it makes developers wonder what other hidden vulnerabilities could be there. Some might now see Next.js as less reliable for high-security applications and consider switching to other frameworks.
Some of the alternatives developers may explore include:
Remix: Focuses on strong backend security and built-in protections.
SvelteKit: Has a simpler structure, reducing the chances of security flaws.
Astro: Works well for static sites, limiting possible attack points.
Even though Next.js has fixed the issue, trust isn’t repaired overnight. Developers working on sensitive projects might hesitate to use Next.js again. If another serious security flaw appears in the future, it could seriously harm Next.js’s reputation as a reliable framework.
2. Security Breaches Can Have Bigger Consequences
Security issues don’t just affect developers, they can cause real damage to businesses and users. A major security problem in Next.js could lead to:
Financial losses: Companies may face lawsuits, fines, or even lose customers.
Reputation damage: If an app built with Next.js is hacked, users might lose trust in it.
Long-term impact: If Next.js gets a reputation for being weak on security, businesses may stop using it altogether.
One security flaw may not destroy Next.js, but if another big issue happens soon, developers may permanently move to safer alternatives.
3. Next.js Needs Stronger Security Measures
This incident is a wake-up call for Next.js and Vercel. To prevent future problems, they need to take security more seriously by:
Running deep security tests before every update to catch vulnerabilities early.
Giving developers clear security guidelines to follow in their projects.
Improving how middleware handles security to prevent weak spots.
Monitoring security in real time to detect issues before they become bigger threats.
Without these improvements, developers may feel forced to leave Next.js behind for safer options.
4. Developers Will Now Be Extra Careful
A security breach like this reminds developers that security must always come first. Many will likely change how they handle security in their Next.js projects by:
Reducing reliance on middleware for security and focusing more on backend solutions.
Checking user input more carefully to prevent hackers from sending harmful requests.
Using extra security layers like firewalls, strong passwords, and two-step authentication.
Following stricter security rules to make sure their websites meet industry standards like GDPR and OWASP.
These changes won’t just improve security in Next.js projects, they could help improve security across the entire web development industry.
5. Businesses Might Face Legal and Compliance Issues
Companies using Next.js for apps that store sensitive customer data, such as banks, hospitals, and online stores, may now face legal risks due to this security flaw. If customer data were exposed, businesses could:
Get sued or fined for not protecting user information properly.
Be forced to prove they follow security laws like GDPR, HIPAA, or SOC 2.
Have to increase security efforts by running more tests and hiring security experts.
Because of this, businesses might think twice before using Next.js for projects where security and compliance are critical. They may start demanding stronger security guarantees before committing to the framework.
6. Hackers Might Try Similar Attacks
Now that this security flaw has been made public, hackers could take advantage of it in multiple ways:
Looking for similar weaknesses in Next.js or other frameworks.
Targeting websites that haven’t updated Next.js yet and using the known flaw to break in.
Creating new attack methods to exploit security gaps in Next.js applications.
To stay safe, developers must regularly update Next.js and follow strict security best practices to protect their applications from future attacks.
The Bigger Question: Is Next.js Still a Safe Choice?
One security flaw doesn’t mean Next.js is completely unsafe, but it does raise important concerns. If another major security issue happens soon, Next.js could lose many developers and businesses to other frameworks.
Security isn’t just about fixing problems after they happen; it’s about preventing them before they occur. If Next.js doesn’t prove that it is fully committed to security, it risks losing its position as the go-to framework for modern web development.
What Can Businesses Learn from This?
Security is an ongoing challenge, and this issue is a lesson for developers and companies alike. Businesses should:
Regularly update their software to avoid security flaws.
Use security audits to check for weaknesses.
Train their developers on the latest security threats.
Implement strong authentication systems to prevent unauthorized access.
To Conclude
This security flaw in Next.js was a wake-up call for developers and businesses. While it raised concerns, it also provided an opportunity to improve security and follow better practices. Whether people continue using Next.js or switch to other frameworks, one thing is clear: security will be a bigger priority in web development moving forward.