Next.js has released version 15.2.3 to address a significant security vulnerability that allowed authorization bypass through crafted HTTP requests. Users have expressed concerns about the complexity of Next.js and its reliance on middleware which could lead to severe security flaws in the design of web applications. The specifics of the vulnerability include the use of an internal header, 'x-middleware-subrequest', which could allow bypassing critical security checks. This has raised alarms about the overall security model of frameworks that attempt to merge backend and frontend code. Critics also highlighted the inadequate response time of the maintainers to the discovered security issue, exacerbating fears regarding the framework’s reliability in maintaining secure applications. Some users have voiced their doubts about the strategic direction of Next.js, suggesting that its design might fundamentally overlook important security principles.