Next.js Middleware Vulnerability – CVE-2025-29927

What is the Next.js Middleware Vulnerability?

Next.js is a popular framework for building web apps, and its Middleware feature helps with tasks like checking if users are logged in before they access certain pages. However, a security flaw, called CVE-2025-29927, has been found. This flaw lets attackers skip these checks by tweaking a special header in their requests, potentially accessing restricted areas like admin pages.

Affected Versions and Impact

This issue affects self-hosted Next.js apps using Middleware, especially if they rely on it for security without extra checks. The affected versions are:

• Next.js 15.x: before 15.2.3
• Next.js 14.x: before 14.2.25
• Next.js 13.x: before 13.5.9
• Next.js 12.x: before 12.3.5
• Next.js 11.x: all versions from 11.1.4 onwards, but it's no longer supported.

Interestingly, apps hosted on platforms like Vercel or Netlify, or deployed as static sites, are not affected, which might be unexpected for users with self-hosted setups.

How to Fix It

To protect your app, update to the latest version for your Next.js release, such as 15.2.3 for 15.x. If updating isn't possible, block requests with the x-middleware-subrequest header using a tool like a reverse proxy or WAF. Cloudflare users can use a managed WAF rule for extra protection (Cloudflare changelog).

---

Survey Note: Comprehensive Analysis of Next.js Middleware Vulnerability

This section provides a detailed examination of the vulnerability in Next.js Middleware, known as CVE-2025-29927, identified as a critical security issue affecting various versions of the framework. Next.js, developed by Vercel, is a popular React-based framework for building full-stack web applications, and its Middleware feature allows running code before a request is completed, typically for tasks such as authorization, redirection, and header modification. The vulnerability, discovered recently, has significant implications for application security, particularly for self-hosted deployments.

Background on Next.js Middleware

Next.js Middleware is a powerful tool integrated into the framework, enabling developers to intercept and modify requests before they reach the application's routing system. It supports functionalities like authentication, logging, and redirects, and is defined in a file named middleware.ts or middleware.js at the project root. The feature, introduced in Next.js 12, runs at the edge on platforms like Vercel, enhancing performance and security. However, its implementation has revealed a critical flaw, CVE-2025-29927, which allows attackers to bypass authorization checks by manipulating the x-middleware-subrequest header.

Detailed Vulnerability Description

CVE-2025-29927 involves an authorization bypass in Next.js Middleware, where attackers can craft requests with the x-middleware-subrequest header to skip Middleware execution. This header is intended for internal use to prevent recursive requests from causing infinite loops, but its manipulation allows attackers to bypass critical security checks, such as cookie validation for authorization. This vulnerability affects applications that rely on Middleware for authentication or security without additional backend validation, potentially exposing sensitive resources like admin pages.

The vulnerability was reported by researchers, with detailed findings published on platforms like zhero web security, highlighting its evolution across versions and the exploit's logic changes. It was rated critical with a CVSS score of 9.1/10, indicating high severity due to its potential for unauthorized access, CSP bypass, and cache-poisoning denial-of-service attacks.

Affected Versions and Scope

The vulnerability impacts a range of Next.js versions, specifically:

• Next.js 15.x: versions before 15.2.3
• Next.js 14.x: versions before 14.2.25
• Next.js 13.x: versions before 13.5.9
• Next.js 12.x: versions before 12.3.5
• Next.js 11.x: all versions from 11.1.4 onwards, as support ended on January 27, 2022, with no patch available

According to the official Next.js blog post, self-hosted applications using Middleware with next start and output: 'standalone', relying on Middleware for auth or security checks not validated later, are at risk. Notably, applications hosted on Vercel, Netlify, or deployed as static exports are not affected, as Middleware is not executed in these scenarios, which may be unexpected for users accustomed to self-hosted environments.

The affected version ranges were confirmed through the GitHub security advisory, listing:

Affected Versions
>= 13.0.0, < 13.5.9
>= 14.0.0, < 14.2.25
>= 15.0.0, < 15.2.3
>= 11.1.4, < 12.3.5

This indicates that for 11.x, versions from 11.1.4 to the end of the series are vulnerable, with the range extending into early 12.x versions up to but not including 12.3.5. The end-of-life status of 11.x, as per endoflife.date, means users must upgrade to a supported version, adding complexity to mitigation efforts.

Impact Analysis

The impact of CVE-2025-29927 is significant, particularly for applications with Middleware as the primary security layer. Attackers can bypass authorization, potentially accessing admin interfaces or sensitive data, as noted in reports like The Hacker News. This could lead to data breaches, privilege escalation, and other security compromises, especially in applications without additional backend checks. The vulnerability's simplicity, stemming from an oversight in header processing, underscores the importance of layered security, as highlighted in Strobes blog.

Mitigation Strategies

To address this vulnerability, several mitigation strategies are recommended:

1. Update to Patched Versions: The most effective solution is to update to the latest patched versions, as follows:

• Next.js 15.x: Update to 15.2.3 or later
• Next.js 14.x: Update to 14.2.25 or later
• Next.js 13.x: Update to 13.5.9 or later
• Next.js 12.x: Update to 12.3.5 or later
• For Next.js 11.x, upgrade to a supported version, as it is no longer maintained.

These patches were released recently, with version 15.2.3 addressing the issue for the latest series, as seen in GitHub releases.

Block Specific Headers: If updating is not feasible, block incoming requests containing the x-middleware-subrequest header. This can be implemented using a reverse proxy or WAF, as suggested in the Next.js blog post. This approach prevents exploitation by filtering out malicious requests at the network level.

Cloudflare Users: For users leveraging Cloudflare, a managed WAF rule is available at Cloudflare changelog, providing an additional layer of protection by automatically blocking attempts to exploit the vulnerability.

These strategies ensure comprehensive protection, with the update being the preferred long-term solution, while header blocking serves as an interim measure.

Exploitation Details (For Educational Purposes Only)

Note: The following information is provided for educational purposes only. Exploiting vulnerabilities without authorization is illegal and unethical. Always ensure you have explicit permission to test or assess any system, and consider using controlled environments like the ProjectDiscovery Lab for hands-on practice.

To exploit CVE-2025-29927, an attacker needs to craft an HTTP request with the x-middleware-subrequest header set to a specific value that tricks the Middleware into thinking it's a subrequest, thus skipping its execution. The exact value depends on the version of Next.js, as the behavior of Middleware and how it handles this header has evolved over time. Below is a breakdown based on the research:

Version Range	Recommended Header Value for x-middleware-subrequest	Notes
Pre-12.2	pages/_middleware, pages/dashboard/_middleware, etc.	Depends on the Middleware file path, e.g., for /dashboard/panel/admin, possibilities include pages/_middleware, pages/dashboard/_middleware, pages/dashboard/panel/_middleware.
12.2 to 13.x	middleware, src/middleware	Simplifies exploit, works regardless of path levels, two possibilities.
14.x	Likely middleware or src/middleware	Assumed similar to 13.x based on version proximity, needs confirmation.
15.x	middleware:middleware:middleware:middleware:middleware	Requires 5 repetitions to exceed MAX_RECURSION_DEPTH (5), ensuring Middleware skips execution.

The exploitation process involves:

1. Version Identification: Determine the exact version of Next.js being used by the target application. This can be done through version disclosure in the application's metadata or by analyzing responses.
2. Header Crafting: Based on the version, set the x-middleware-subrequest header to the appropriate value as outlined in the table above. For example, for a version 15.1.7 application, set it to middleware:middleware:middleware:middleware:middleware.
3. Sending the Request: Use an HTTP client like curl to send the crafted request to a protected endpoint. For instance:

   curl -H "x-middleware-subrequest: middleware" https://example.com/admin
   

   This attempts to access an admin page without authorization.
4. Checking for Success: If the Middleware is bypassed, the request will reach the route without the expected authorization checks, potentially granting access to restricted resources.

Additional Considerations

It's worth noting that the vulnerability's discovery, reported on March 18, 2025, following initial findings on February 27, 2025, reflects ongoing efforts to secure the framework. The rapid response, with patches released by March 22, 2025, as per NVD entry, demonstrates Vercel's commitment to security. However, the end-of-life status of 11.x poses challenges for legacy users, who must migrate to supported versions to mitigate risks.

The unexpected detail here is the exemption of Vercel-hosted and static export applications, which may surprise users relying on self-hosted setups, highlighting the importance of deployment context in security assessments. Furthermore, the vulnerability's simplicity, as a header manipulation issue, serves as a reminder of the need for robust input validation and layered security, as discussed in SOCRadar blog.

Conclusion

In conclusion, CVE-2025-29927 is a critical vulnerability in Next.js Middleware, affecting a wide range of versions and requiring immediate action for self-hosted applications. By updating to patched versions, blocking specific headers, or leveraging Cloudflare's WAF rule, users can mitigate risks effectively. This incident underscores the dynamic nature of web application security, with ongoing research and updates essential for maintaining robust protection.

Key Citations

• Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
• CVE-2025-29927 | Next.js
• NVD - CVE-2025-29927
• Next.js and the corrupt middleware: the authorizing artifact - zhero web security
• CVE-2025-29927 - Understanding the Next.js Middleware Vulnerability
• Critical Next.js Middleware Vulnerability Let Attackers Gain Unauthorized Access
• Next.js Middleware Vulnerability (CVE-2025-29927): What You Need to Know and How to Respond - SOCRadar® Cyber Intelligence Inc.
• Authorization Bypass in Next.js Middleware
• Next.js version 15.2.3 has been released to address a security vulnerability | Hacker News
• Releases · vercel/next.js
• End of Life Dates for Next.js
• Cloudflare Managed WAF Rule for Next.js Vulnerability
• CVE-2025-29927: Next.js Middleware Authorization Bypass - Technical Analysis — ProjectDiscovery Blog