Logic scanner now available! Try it out
Back
CVE Analysis - 6 min read

Next.js Middleware Exploit: CVE-2025-29927 Authorization Bypass

Explore the critical CVE-2025-29927 vulnerability in Next.js middleware, enabling attackers to bypass authorization checks and gain unauthorized access.

ZeroPath Security Research

ZeroPath Security Research

2025-03-21
Next.js Middleware Exploit: CVE-2025-29927 Authorization Bypass

Next.js Middleware Exploit: CVE-2025-29927 Authorization Bypass

Summary

A critical vulnerability (CVE-2025-29927) in Next.js has been discovered that enables attackers to bypass middleware security controls through manipulation of the x-middleware-subrequest header. This vulnerability affects authentication, authorization, path rewriting, and security header implementations across multiple Next.js versions, from 11.1.4 through unpatched releases of v14.x and v15.x. It has received a CVSS score of 9.1, classifying it as a critical security risk.

Technical Background

Next.js middleware functions as an interceptor that executes before a request reaches its destination. It's commonly used to implement authentication checks, authorization controls, rewrite paths, redirect requests, and apply security headers. The middleware execution is managed by the runMiddleware function within Next.js.

The vulnerability exists in the internal mechanism designed to prevent infinite middleware recursion loops. As discovered by security researcher Rachid Allam (known as "zhero"), the execution of middleware can be controlled through manipulation of the x-middleware-subrequest header.

In older versions (pre-12.2), the middleware would check if this header's value contained the path to the middleware file. If it did, the middleware execution would be skipped entirely.

In more recent versions, the middleware implements a "MAX_RECURSION_DEPTH" check (set to 5) to prevent infinite loops. If the middleware path appears 5 or more times in the header value (separated by colons), the middleware execution is skipped. This mechanism, intended for internal use, can be exploited by external requests.

The critical security flaw is that this internal protection mechanism accepts and processes the header from any incoming request, including those from external sources, without validation. This allows attackers to craft requests that deliberately bypass middleware security controls.

Exploit Details

The exploit works by including a specially crafted x-middleware-subrequest header in HTTP requests:

For older versions (pre-12.2):

x-middleware-subrequest: pages/_middleware

For modern versions:

x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

If using the src directory structure:

x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware

Attack Vectors

This vulnerability enables several attack scenarios:

  1. Authentication Bypass: Attackers can access protected routes without requiring valid credentials or session tokens.

  2. Content Security Policy (CSP) Bypass: If CSP headers are applied via middleware, this exploit can circumvent these protections, potentially enabling cross-site scripting (XSS) attacks.

  3. Geographic Restrictions Bypass: Applications that use middleware to implement region-based content restrictions can have these controls bypassed.

  4. Security Header Removal: Protective headers like HSTS, X-Frame-Options, or X-Content-Type-Options applied by middleware can be negated.

  5. Cache Poisoning: Under certain configurations, bypassing a rewrite may lead to caching a 404 or 500 error (CPDoS attack).

Affected Versions

  • Next.js 11.1.4 to 12.3.4
  • Next.js 13.0.0 to 13.5.8
  • Next.js 14.0.0 to 14.2.24
  • Next.js 15.0.0 to 15.2.2

According to the official GitHub Security Advisory, the following patched versions are available:

  • Next.js 12.3.5
  • Next.js 13.5.9
  • Next.js 14.2.25
  • Next.js 15.2.3

Users of all affected versions should update to the corresponding patched version or implement the recommended workaround if immediate updating is not possible.

Detecting Vulnerable Applications

To identify vulnerable applications, look for:

  1. The presence of x-powered-by: Next.js in response headers (although this can be disabled)
  2. Headers like x-middleware-rewrite or x-nextjs-cache
  3. References to /_next/static/ in response bodies
  4. Variations in response with and without the exploit header

Mitigation Strategies

Primary Recommendation: Update Immediately

  • For Next.js 15.x: Update to ≥ 15.2.3
  • For Next.js 14.x: Update to ≥ 14.2.25
  • For Next.js 13.x: Update to ≥ 13.5.9
  • For Next.js 12.x: Update to ≥ 12.3.5

Secondary Options:

If immediate updating is not possible, implement one of these mitigations:

  1. Block the Header at Web Server/Proxy Level:

    For Nginx:

    location / {
  proxy_set_header x-middleware-subrequest "";
}

    For Apache:

    RequestHeader unset x-middleware-subrequest

  2. Apply WAF Rules: If using Cloudflare or similar services, configure WAF rules to block requests containing the x-middleware-subrequest header.

  3. Implement Defense-in-Depth: Add secondary authentication checks within route handlers or API endpoints as a backup to middleware controls.

References

Ready for effortless AppSec?

Get a live ZeroPath tour.

Schedule a demo with one of the founders Dean Valentine Raphael Karger Nathan Hrncirik Yaacov Tarko to get started.

Schedule a demo