Table of Contents
A critical security vulnerability, identified as CVE-2025-29927, has been discovered in Next.js. This flaw enables attackers to bypass authorization checks implemented in middleware, potentially granting unauthorized access to sensitive areas of applications, such as administrative pages.
What Is The Vulnerability?
Next.js utilizes an internal header, x-middleware-subrequest, to prevent recursive requests that could lead to infinite loops. However, in affected versions, it is possible to manipulate this header to skip middleware execution. This means that critical checks, including authorization validation, can be circumvented, allowing unauthorized requests to reach protected routes.
Affected Versions
- 15.x prior to 15.2.3
- 14.x prior to 14.2.25
- 13.x prior to 13.5.9
Applications hosted on platforms like Vercel and Netlify, or those deployed as static exports, are not affected by this issue.
Impact
Exploiting this vulnerability can allow an attacker to bypass authentication if authentication is performed via middleware headers.
Mitigation
Upgrade Next.js: Update to the latest patched versions—15.2.3, 14.2.25, or 13.5.9—as applicable to your application.
Implement Workarounds: If immediate upgrading is not feasible, configure your web server or reverse proxy to block or strip the x-middleware-subrequest header from external requests.
Original blogpost by Rachid Allam who discovered this vulnerability: https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
Testing
The CyberMaxx Security Research team have provided a script to test if your application is potentially vulnerable to CVE-2025-29927. Find it here: GitHub – TheresAFewConors/CVE-2025-29927-Testing