Threat Insight

CVE-2025-29927: Critical Next.js Authorization Bypass Vulnerability

Next.js has recently published security patches[1] resolving a critical authorization bypass flaw in Next.js, a React-based framework. It stems from insufficient validation of the x-middleware-subrequest header in middleware authorization checks.

  • Insight

The vulnerability permits attackers to bypass middleware-level authorization mechanisms, granting them unauthorized access to restricted parts of a Next.js application. This could lead to exposure of sensitive data or unintended functionality. An attacker could craft a request containing the x-middleware-subrequest header and send it to a vulnerable Next.js application. By manipulating the header’s value, the attacker could bypass security checks designed to restrict access. For example, they could gain access to admin-only endpoints or restricted user data.

CVE

CVE-2025-29927

Affected Products

Self-hosted Next.js applications using Middleware (next start with output: standalone) This affects you if you rely on Middleware for auth or security checks, which are not then validated later in your application. Next.js <15.2.3 Next.js <14.2.25 Next.js <13.5.9 Next.js <12.3.5

Exploitation

Exploitation in the wild has been confirmed with a publicly available PoC[2], further facilitating unauthorized access and potential misuse of vulnerable systems.

1. Upgrading to one of the patched versions (15.2.3, 14.2.25, 13.5.9, 12.3.5) of Next.js provided by the vendor.
2. Prevent external user requests containing the x-middleware-subrequest header to ensure they do not reach your Next.js application.

References

[1] https://nextjs.org/blog/cve-2025-29927
[2] https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware