On March 21, 2025, a critical vulnerability identified as CVE-2025-29927 was disclosed in the Next.js framework. This flaw allows attackers to bypass middleware-based authorization checks by exploiting the x-middleware-subrequest header, potentially granting unauthorized access to protected routes.
🔍 Technical Details
What is Middleware in Next.js?
Middleware in Next.js enables developers to execute code before a request is completed, commonly used for tasks like authentication, redirects, and modifying responses.
The Vulnerability
The vulnerability arises from the misuse of the internal x-middleware-subrequest header. Originally intended to prevent recursive middleware execution, this header can be manipulated by attackers to skip middleware processing entirely. By crafting a request with this header, an attacker can bypass critical security checks implemented in middleware.
Affected Versions
The following Next.js versions are affected:
- 11.1.4 through 12.3.4
- 13.0.0 through 13.5.8
- 14.0.0 through 14.2.24
- 15.0.0 through 15.2.2
Patched versions include:
- 12.3.5
- 13.5.9
- 14.2.25
- 15.2.3
🚨 Exploitation Example
An attacker can exploit this vulnerability by sending an HTTP request with the x-middleware-subrequest header set to a specific value, such as:
httpCopyEditGET /admin HTTP/1.1
Host: vulnerable-site.com
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
This crafted header tricks Next.js into believing the middleware has already been executed multiple times, causing it to skip middleware processing and potentially granting unauthorized access.
🛡️ Mitigation Strategies
1. Upgrade Next.js
Update to the latest patched version appropriate for your application:
- 12.3.5
- 13.5.9
- 14.2.25
- 15.2.3
2. Implement Workarounds
If immediate upgrading is not feasible, consider the following workarounds:
Strip the Vulnerable Header: Configure your web server or proxy to remove the x-middleware-subrequest header from incoming requests.
Nginx:
proxy_set_header x-middleware-subrequest "";
Apache:
RequestHeader unset x-middleware-subrequest
Express.js Middleware:
app.use((req, res, next) => {
delete req.headers['x-middleware-subrequest'];
next();
});
``` :contentReference[oaicite:32]{index=32}
Enhance Security Checks: Ensure that critical authorization checks are not solely reliant on middleware and are enforced at multiple layers within the application.
🔗 References
- Next.js Official Advisory
- JFrog Security Blog
- Datadog Security Labs
- Akamai Security Research
- National Vulnerability Database Entry
Stay vigilant and ensure your applications are updated to protect against this critical vulnerability.
88winapp, wah kayaknya mobile friendly banget nih. Gak sabar pengen download appnya. Semoga enteng dan gak bikin lemot hp. Download di 88winapp
Logging into 66 Club was a breeze with 66clublogin.info. Super quick and easy. Definitely recommend using this if you want to play now. Don’t wait, check out 66clublogin
Alright BDG Wingame people, how are we feeling today? Logging in nice and smooth with bdgwingamelogin? Looking for a bit of fun, trying to see if it´s worth it. Good luck on the login! Check it out here: bdgwingamelogin
Geelyslots is a nice option for a quick spin. Nothing fancy, but reliable and fun. If you’re a slots fan, give it a go. Quick and easy. Spin away at geelyslots
Checked out 8xbetvina. It’s giving me good vibes so far. The interface is pretty user-friendly. What’s the word on payouts, though? Anyone had experience with withdrawing?
So xo 66vn… hmm, never heard of it before. But the website looks pretty slick. Might give it a go this weekend. Anyone else played on Soxo66vn? Let me know what you think! soxo66vn
What’s up, everyone? Looking for a new online casino? PHDreamOnlineCasino looks neat!. Jump in and give it a spin! phdreamonlinecasino
Thanks for sharing. I read many of your blog posts, cool, your blog is very good. https://www.binance.info/uk-UA/register?ref=XZNNWTW7
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article. https://accounts.binance.info/ru/register?ref=O9XES6KU