Full Report
A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions. The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0. "Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops," Next.js said in an
Analysis Summary
# Vulnerability: Next.js Middleware Authorization Bypass via Internal Header
## CVE Details
- CVE ID: CVE-2025-29927
- CVSS Score: 9.1 (High)
- CWE: (Not explicitly stated, but related to insufficient authorization checks)
## Affected Systems
- Products: Next.js React framework
- Versions: All versions prior to the patched releases (specifically, versions needing updates are implied to be recent versions on 12.x, 13.x, 14.x, and 15.x lines).
- Configurations: Any host website utilizing Next.js middleware to enforce authorization checks without having additional, external authorization layers.
## Vulnerability Description
The vulnerability exists due to improper handling of an internal header, `x-middleware-subrequest`, which Next.js uses to prevent recursive requests within its middleware processing chain. An attacker can manipulate this header in an external user request, causing the Next.js application to skip the execution of middleware functions. Since the middleware often contains critical authorization logic (like cookie validation), skipping it allows the attacker to reach routes that should otherwise be protected, potentially accessing sensitive pages reserved for privileged users.
## Exploitation
- Status: Details suggest high risk; researcher published technical details, implying high likelihood of exploitation attempts.
- Complexity: Low (Ability to add a specific header suggests relative ease of crafting a malicious request).
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential access to sensitive pages/data protected only by middleware).
- Integrity: High (Potential to abuse compromised resources).
- Availability: Low (Primary impact is unauthorized access, not denial of service).
## Remediation
### Patches
- Next.js versions 12.3.5
- Next.js versions 13.5.9
- Next.js versions 14.2.25
- Next.js versions 15.2.3
### Workarounds
- Implement a configuration/WAF rule to **prevent external user requests containing the `x-middleware-subrequest` header** from reaching the Next.js application layer.
- Ensure that critical access controls are **not solely** dependent on authorization checks performed within Next.js middleware (i.e., implement authorization checks outside or underneath the middleware layer as a fail-safe).
## Detection
- **Indicators of Compromise:** Unexpected access logs to routes normally protected by middleware without corresponding standard session or authentication artifacts.
- **Detection Methods and Tools:** Monitoring incoming HTTP requests for the presence of the `x-middleware-subrequest` header originating from external (non-internal proxy/recursive) sources.
## References
- Vendor advisory: nextjs.org/blog/cve-2025-29927
- Technical details: zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware