CVE-2025-29927 : Next.js Middleware Authorization Bypass – Technical Analysis

A critical vulnerability, CVE-2025-29927, has been identified in Next.js, a React-based web framework by Vercel. This flaw allows attackers to bypass middleware-based authorization checks by exploiting the x-middleware-subrequest header.

Middleware in Next.js is widely used for tasks such as path rewriting, server-side redirects, security headers (e.g., CSP), and access control.

The vulnerability affects versions 11.1.4 through 13.5.6, 14.x before 14.2.25, and 15.x before 15.2.3.

Root Cause

The issue stems from a design flaw in how Next.js processes the x-middleware-subrequest header, originally intended for internal use to prevent infinite middleware loops.

If this header contains a specific value matching the middleware’s name, the middleware execution is skipped entirely.

Attackers can exploit this by crafting requests with the appropriate header value to bypass all middleware protections.

Exploitation

Attackers can send an HTTP request with the following header to bypass middleware:

textGET /dashboard/admin HTTP/1.1
Host: example.com
X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware

This grants unauthorized access to protected resources by skipping authentication and authorization checks.

The vulnerability poses severe risks:

• Authorization Bypass: Attackers gain access to restricted routes without authentication.
• CSP Bypass: Security headers added via middleware can be ignored, enabling XSS attacks.
• Cache Poisoning: Middleware controlling cache headers can be bypassed, leading to cache poisoning.

Vercel has released patches:

• Upgrade to Next.js 14.2.25 or 15.2.3.
• For earlier versions, block the x-middleware-subrequest header at the server or load balancer level.

Workarounds include:

• Adding custom middleware to strip the header.
• Configuring web servers like Nginx or Apache to unset this header.

A Nuclei detection template has been developed to identify vulnerable systems by checking for bypass scenarios using crafted headers.

CVE-2025-29927 highlights how minor implementation flaws can lead to significant security breaches. Organizations using self-hosted Next.js must urgently patch their systems or implement mitigations to avoid exploitation.