Full Report
A critical severity vulnerability has been discovered in the Next.js open-source web development framework, potentially allowing attackers to bypass authorization checks. [...]
Analysis Summary
# Vulnerability: Next.js Middleware Authorization Bypass via 'x-middleware-subrequest' Header
## CVE Details
- CVE ID: CVE-2025-29927
- CVSS Score: Information not provided in detail, but described as **Critical**.
- CWE: Likely related to Improper Access Control or Input Validation (specific CWE not listed).
## Affected Systems
- Products: Next.js
- Versions: All versions *before* 15.2.3, 14.2.25, 13.5.9, and 12.3.5.
- Configurations: Self-hosted versions using `next start` with `output: standalone`. Applications hosted on Vercel, Netlify, or deployed as static exports are **NOT** affected. Vulnerability applies only where middleware is used for authorization/security checks and lacks subsequent validation.
## Vulnerability Description
The vulnerability exists in how Next.js handles the `x-middleware-subrequest` header, which is intended internally to prevent infinite loops during middleware re-triggering. An attacker can manually craft and send a request including this header with a specific (though undisclosed in this summary) correct value. When the `runMiddleware` function detects this header, it bypasses the entire middleware execution chain, effectively allowing an attacker to skip authentication, authorization, geo-blocking, and rate-limiting checks performed by the middleware.
## Exploitation
- Status: Technical details for exploitation are public, indicating a high likelihood of exploitation attempts.
- Complexity: Not explicitly stated, but bypassing security mechanisms usually implies **Low to Medium** complexity once the header mechanism is understood.
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (If authorization controls sensitive data access)
- Integrity: High (If authorization controls critical state changes)
- Availability: Medium (If authorization controls resource access)
## Remediation
### Patches
Users should upgrade to the following fixed versions or newer:
- Next.js versions **15.2.3** or later.
- Next.js versions **14.2.25** or later.
- Next.js versions **13.5.9** or later.
- Next.js versions **12.3.5** or later.
### Workarounds
If immediate patching is not possible, users are recommended to implement network-level mitigation:
- Block all external user requests that include the `x-middleware-subrequest` header.
- Implement application-level validation *after* middleware execution to ensure authorization checks are re-verified, even if middleware suggests they were passed.
## Detection
- Indicators of Compromise: Unauthenticated access to pages or endpoints protected solely by Next.js middleware. Look for HTTP requests originating from external sources containing the `x-middleware-subrequest` header.
- Detection methods and tools: Network monitoring tools or WAFs configured to inspect request headers for the presence of `x-middleware-subrequest`.
## References
- Vendor Advisories: nextjs.org/blog/cve-2025-29927
- Relevant links:
- bleepingcomputer.com/news/security/critical-flaw-in-nextjs-lets-hackers-bypass-authorization/
- x.com/zhero___
- zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware (defanged)