In March 2025, a critical vulnerability identified as CVE-2025-29927 was disclosed in Next.js, a popular React-based web framework. The flaw affects versions prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3. It stems from improper trust of the x-middleware-subrequest header, which is meant to prevent infinite middleware loops. By spoofing this header, attackers can bypass middleware logic entirely including authentication and authorization mechanisms thereby gaining unauthorized access to protected routes in vulnerable applications.
Due to the widespread reliance on middleware in Next.js apps, the impact is significant.
- CVE ID: CVE-2025-29927
- Severity: Critical
- CVSS Score: 9.1
- EPSS Score: 92.56
- Published: March 2025
- Affected Versions: < 12.3.5, < 13.5.9, < 14.2.25, < 15.2.3
- Patched Versions: 12.3.5, 13.5.9, 14.2.25, 15.2.3
Next.js uses middleware to enforce security policies such as authentication and authorization before routing requests. To avoid infinite loops during internal redirects or server-side rendering (SSR), it includes a special header x-middleware-subrequest in internal requests.
The flaw lies in the fact that this header is blindly trusted by the framework without verifying its origin. An attacker can spoof this header in a request, tricking the server into skipping the middleware layer entirely. This effectively bypasses all access control logic enforced by middleware, granting unauthorized access to protected routes.
An attacker sends a request with a spoofed x-middleware-subrequest header to impersonate an internal request.
Example Request:
| GET /admin HTTP/1.1 Host: vulnerable-app.com x-middleware-subrequest: middleware |
This tricks the server into thinking it’s a trusted internal request, bypassing middleware logic such as session or role validation.
Impact
Successful exploitation can allow attackers to:
- Access protected routes without authentication
- Bypass critical authorization logic
- Perform privilege escalation
- Reach internal-only functionality exposed through middleware
An attacker could leverage the publicly available PoC to compromise vulnerable systems, like the one found in our OffSec Lab (available in Proving Grounds).
1. Check Your Next.js Version
- npm list next or yarn list next
- You are vulnerable if you’re running a version below:
- 12.3.5
- 13.5.9
- 14.2.25
- 15.2.3
2. Middleware Review
- Identify routes relying on middleware for access control.
3. Log Analysis
- Check access logs for unusual or unauthorized access attempts using x-middleware-subrequest.
4. Header Inspection
- Monitor for requests that explicitly include the x-middleware-subrequest header from external IPs.
Immediate Fix:
Upgrade Next.js to:
- 12.3.5+
- 13.5.9+
- 14.2.25+
- 15.2.3+
1. Workaround (if upgrade isn’t possible):
- Block or strip the `x-middleware-subrequest` header at the reverse proxy or edge layer (e.g., Nginx, Cloudflare, etc.)
2. Long-Term Best Practices:
- Don’t rely solely on middleware for authentication/authorization.
- Implement fallback access controls at the route/controller level.
https://nvd.nist.gov/vuln/detail/CVE-2025-29927
https://nextjs.org/blog/cve-2025-29927
https://securitylabs.datadoghq.com/articles/nextjs-middleware-auth-bypass
