A critical security vulnerability (CVE-2025-29927) has been discovered in Next.js that allows attackers to completely bypass middleware-based security controls by manipulating the x-middleware-subrequest header.
This critical flaw affects authentication flows, authorization controls, path rewriting, and security header implementations across multiple Next.js versions, potentially exposing thousands of web applications to unauthorized access.
According to vulnerability researcher Rachid and Yasser Allam (inzo_), the vulnerability exploits a flaw in Next.js middleware that processes the x-middleware-subrequest header.
.png
)
Next.js middleware serves as a crucial component for implementing authentication checks, path rewriting, server-side redirects, and security headers like Content Security Policy (CSP).
At its core, the vulnerability allows attackers to completely bypass middleware execution by manipulating the x-middleware-subrequest header value, which acts as a “universal key” enabling requests to bypass security checks entirely:
This code snippet shows that if the x-middleware-subrequest header value includes the middlewareInfo.name, middleware execution is bypassed via NextResponse.next().
Next.js Middleware Vulnerability
The exploitation method varies depending on the Next.js version:
For versions prior to 12.2:
For versions 12.2 and later:
For versions 13.2.0 and later:
For applications using a /src directory structure:
The impact is substantial as middleware is commonly used for critical security functions in Next.js applications.
When exploited, attackers can access protected administrative interfaces, bypass authentication requirements, and even circumvent security headers like CSP.
The summary of the vulnerability is given below:
| Risk Factors | Details |
| Affected Products | Next.js 11.1.4 through 13.5.6 (unpatched)Next.js 14.x before 14.2.25Next.js 15.x before 15.2.3 |
| Impact | Bypass of middleware-based security controlsUnauthorized access |
| Exploit Prerequisites | Send HTTP requests with custom headersTarget application must be self-hosted and using Next.js middleware |
| CVSS 3.1 Score | 9.1 (Critical) |
Affected Versions
The vulnerability affects:
- Next.js 11.1.4 through 13.5.6 (unpatched)
- Next.js 14.x before 14.2.25
- Next.js 15.x before 15.2.3
Next.js deployments hosted on Vercel are automatically protected, but self-hosted applications remain vulnerable unless patched.
The vulnerability affects approximately 10 million weekly downloads of Next.js, potentially compromising security across numerous production systems in critical sectors, including banking and blockchain applications.
Researchers demonstrated practical attacks, including:
- Authorization bypass – Accessing protected admin interfaces
- Rewrite bypass – Reaching endpoints intended to be unreachable
- CSP bypass – Circumventing content security policies
- Cache-poisoning DoS – Potentially forcing caching of error pages, affecting availability
Mitigation Strategies
Vercel has released patches for the vulnerability:
- For Next.js 15.x: Update to version 15.2.3 or higher
- For Next.js 14.x: Update to version 14.2.25 or higher
- For Next.js 13.x: Update to version 13.5.9 or higher
If immediate updating isn’t possible, implement these workarounds:
For Nginx:
For Express.js:
CVE-2025-29927 demonstrates how internal framework mechanisms can create significant security vulnerabilities. The ease of exploitation makes this a high-priority issue for Next.js users.
Organizations should immediately patch affected applications or implement header-blocking workarounds at the proxy level.
This vulnerability reminds us that seemingly minor implementation details in web frameworks can lead to significant security exposures when they are not properly validated against external manipulation.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
