%20(1).webp?w=1600&resize=1600,900&ssl=1)
A critical security flaw in Next.js middleware (CVE-2025-29927) enables attackers to bypass authentication and authorization controls by manipulating HTTP headers.
Rated 9.1 CVSSv3, this vulnerability impacts applications using middleware for security checks in Next.js versions 11.1.4 through 15.2.2.
Technical Breakdown of the Exploit
The vulnerability stems from Next.js’ header handling, which is designed to prevent infinite middleware loops during internal routing.
Attackers can exploit this by injecting crafted headers to skip middleware execution entirely.
Key Exploit Patterns
textGET /admin HTTP/1.1
Host: target.com
x-middleware-subrequest: middleware:middleware:middleware
This bypass occurs due to flawed header validation in the runMiddleware function, which checks if the header matches the middleware’s registered name.
If matched, the request proceeds without security checks via NextResponse.next().
Impact Analysis
| Risk Category | Potential Consequences |
|---|---|
| Authorization Bypass | Unrestricted access to protected routes/APIs |
| CSP Header Bypass | Increased XSS attack surface |
| Cache Poisoning | Serving malicious content to legitimate users |
| Account Takeover | Session hijacking and privilege escalation |
The vulnerability undermines core security mechanisms, particularly for applications relying on middleware for:
- Session cookie validation
- Role-based access controls
- Security header injection (CSP, CORS)
- Path-based authentication
Affected Versions and Patches
| Next.js Version Range | Patched Version | Remediation Type |
|---|---|---|
| 11.1.4 – 13.5.6 | N/A | Header filtering* |
| 14.0.0 – 14.2.24 | 14.2.25 | Full patch |
| 15.0.0 – 15.2.2 | 15.2.3 | Full patch |
*For unpatched versions, implement header filtering at infrastructure layers.
Mitigation Strategies
1. Immediate Patching
bash# For npm-based projects
npm install next@15.2.3 --save-exact
2. Infrastructure-Level Workarounds
- Cloudflare Rule:
sqlhttp.request.headers.names contains "x-middleware-subrequest"
=> override req header "x-middleware-subrequest" ""
- NGINX Configuration:
textproxy_set_header x-middleware-subrequest "";
3. Middleware Hardening
Add pre-middleware validation in custom servers:
javascriptapp.use((req, res, next) => {
delete req.headers['x-middleware-subrequest'];
next();
});
Forensic Detection
Security teams can identify vulnerable instances using these signatures:
bash_asset.protocol:http AND protocol:http AND (
http.head.xPoweredBy:="Next.js" OR
http.body:"/_next/static/"
)
This vulnerability highlights the risks of over-reliance on middleware for security controls.
While Next.js has issued patches, organizations must audit their implementation and consider defense-in-depth strategies like role validation at both middleware and application layers.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Rated%209.1%20CVSSv3,%20this%20vulnerability%20impacts%20applications%20using%20middleware%20for%20security%20checks%20in%20Next.js%20versions%2011.1.4%20through%2015.2.2.){kind=link}