On March 21, 2025, a critical vulnerability identified as CVE-2025-29927 was disclosed in the Next.js framework. This flaw allows attackers to bypass middleware-based authorization checks by exploiting the x-middleware-subrequest header, potentially granting unauthorized access to protected routes.
🔍 Technical Details
What is Middleware in Next.js?
Middleware in Next.js enables developers to execute code before a request is completed, commonly used for tasks like authentication, redirects, and modifying responses.
The Vulnerability
The vulnerability arises from the misuse of the internal x-middleware-subrequest header. Originally intended to prevent recursive middleware execution, this header can be manipulated by attackers to skip middleware processing entirely. By crafting a request with this header, an attacker can bypass critical security checks implemented in middleware.
Affected Versions
The following Next.js versions are affected:
- 11.1.4 through 12.3.4
- 13.0.0 through 13.5.8
- 14.0.0 through 14.2.24
- 15.0.0 through 15.2.2
Patched versions include:
- 12.3.5
- 13.5.9
- 14.2.25
- 15.2.3
🚨 Exploitation Example
An attacker can exploit this vulnerability by sending an HTTP request with the x-middleware-subrequest header set to a specific value, such as:
httpCopyEditGET /admin HTTP/1.1
Host: vulnerable-site.com
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
This crafted header tricks Next.js into believing the middleware has already been executed multiple times, causing it to skip middleware processing and potentially granting unauthorized access.
🛡️ Mitigation Strategies
1. Upgrade Next.js
Update to the latest patched version appropriate for your application:
- 12.3.5
- 13.5.9
- 14.2.25
- 15.2.3
2. Implement Workarounds
If immediate upgrading is not feasible, consider the following workarounds:
Strip the Vulnerable Header: Configure your web server or proxy to remove the x-middleware-subrequest header from incoming requests.
Nginx:
proxy_set_header x-middleware-subrequest "";
Apache:
RequestHeader unset x-middleware-subrequest
Express.js Middleware:
app.use((req, res, next) => {
delete req.headers['x-middleware-subrequest'];
next();
});
``` :contentReference[oaicite:32]{index=32}
Enhance Security Checks: Ensure that critical authorization checks are not solely reliant on middleware and are enforced at multiple layers within the application.
🔗 References
- Next.js Official Advisory
- JFrog Security Blog
- Datadog Security Labs
- Akamai Security Research
- National Vulnerability Database Entry
Stay vigilant and ensure your applications are updated to protect against this critical vulnerability.
