On March 21, 2025, a critical vulnerability identified as CVE-2025-29927 was disclosed in the Next.js framework. This flaw allows attackers to bypass middleware-based authorization checks by exploiting the x-middleware-subrequest
header, potentially granting unauthorized access to protected routes.β
π Technical Details
What is Middleware in Next.js?
Middleware in Next.js enables developers to execute code before a request is completed, commonly used for tasks like authentication, redirects, and modifying responses. β
The Vulnerability
The vulnerability arises from the misuse of the internal x-middleware-subrequest
header. Originally intended to prevent recursive middleware execution, this header can be manipulated by attackers to skip middleware processing entirely. By crafting a request with this header, an attacker can bypass critical security checks implemented in middleware. β
Affected Versions
The following Next.js versions are affected:β
- 11.1.4 through 12.3.4
- 13.0.0 through 13.5.8
- 14.0.0 through 14.2.24
- 15.0.0 through 15.2.2
Patched versions include:β
- 12.3.5
- 13.5.9
- 14.2.25
- 15.2.3 β
π¨ Exploitation Example
An attacker can exploit this vulnerability by sending an HTTP request with the x-middleware-subrequest
header set to a specific value, such as:β
httpCopyEditGET /admin HTTP/1.1
Host: vulnerable-site.com
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
This crafted header tricks Next.js into believing the middleware has already been executed multiple times, causing it to skip middleware processing and potentially granting unauthorized access.β
π‘οΈ Mitigation Strategies

1. Upgrade Next.js
Update to the latest patched version appropriate for your application:β
- 12.3.5
- 13.5.9
- 14.2.25
- 15.2.3β
2. Implement Workarounds
If immediate upgrading is not feasible, consider the following workarounds:β
Strip the Vulnerable Header: Configure your web server or proxy to remove the x-middleware-subrequest
header from incoming requests.β
Nginx:
proxy_set_header x-middleware-subrequest "";
Apache:
RequestHeader unset x-middleware-subrequest
Express.js Middleware:
app.use((req, res, next) => {
delete req.headers['x-middleware-subrequest'];
next();
});
``` :contentReference[oaicite:32]{index=32}
Enhance Security Checks: Ensure that critical authorization checks are not solely reliant on middleware and are enforced at multiple layers within the application.β
π References
- Next.js Official Advisory
- JFrog Security Blog
- Datadog Security Labs
- Akamai Security Research
- National Vulnerability Database Entryβ
Stay vigilant and ensure your applications are updated to protect against this critical vulnerability.β