Next.js Middleware Bypass Vulnerability (CVE-2025-29927): Who’s at Risk and Mitigation

Quick Summary: Websites and web applications based on Next.js are vulnerable to authorization bypass with a new vulnerability that has been disclosed recently. This vulnerability enables an attacker to evade middleware authorization checks to gain access to a website or application with a specially crafted HTTP request. Learn more about Next.js middleware bypass vulnerability, how to fix it, and check if your site or app is vulnerable.

Are you using the Next.js framework? There is a critical alert for you! A high-risk middleware bypass vulnerability with a CVSS score of 9.1 has been discovered in the Next.js framework. It was officially disclosed on March 21, 2025, and allows an attacker to bypass authorization checks with a simple header manipulation.

The middleware bypass vulnerability has been assigned, CVE-2025-29927 and it is among the most critical security risks looming over web applications and websites using the Next.js framework. In this blog, our security experts have provided in-depth insight about this vulnerability, its impact, risks, and mitigation tips.

Run a Free Vulnerability Scan to Check Your Web App for Thousands of CVEs Get Instant Access

What is Next.js Middleware Vulnerability (CVE-2025-29927)?

CVE-2025-29927 is identified as an authorization bypass vulnerability in Next.js, which is a React framework used in websites and web apps to improve page speed and SEO. An attacker, when successful in exploiting this vulnerability, can circumvent middleware-based security checks to access sensitive data or resources on your website or web application.

The Next.js framework provides middleware to control and modify the flow of requests and responses. Middleware is widely used for authentication and authorization checks to verify a valid user before redirecting to a final destination.

The attacker can use a specially crafted HTTP request to manipulate the “x-middleware-subrequest” header intended to be used internally to trick your website or web app to bypass authentication or authorization checks done via middleware.

You are at risk of Next.js middleware vulnerability if you are using any of the following versions:

• Version 11.1.4 through 13.5.6
• Version 14.x before 14.2.5
• Version 15.x before 15.2.3

If your web application or website runs on any of the following versions or uses the middleware for authorization or authentication checks, you should immediately update to the patched version.

How Does an Attacker Exploit the Next.js Middleware Vulnerability?

Next.js middleware processes a request before it reaches its destination. They are special functions that can be used for numerous purposes, including user authentication. For example, a user can be redirected to a login page if cookie authentication fails.

The framework also offers an internal header named “x-middleware-subrequest” to manage these processes. This header also prevents infinite recursion and handles internal request flows.

While this header is supposed to be used internally, it can be exploited due to predictable middleware naming and file paths. An attacker can create a request counterfeiting this header to trick an application into bypassing middleware checks and treating the request as internal.

The attacker will craft a special HTTP request that includes the “x-middleware-subrequest" adding the middleware name or path as a value, “src/middleware” is an example.

Such a request will cause the Next.js internal logic to bypass the middleware. As shown in the request below.

GET /admin HTTP/1.1  Host: example-site.com  x-middleware-subrequest:src/middleware

This technique may not work for Next.js 15.x versions because it prevents a recursive infinite loop. When there is a middleware running on a path, the Next.js framework can fetch any other URL that also runs the same middleware.

The framework checks the “x-middleware-subrequest" header to identify how many calls are made to the middleware. It checks this against a parameter called “MAX_RECURSION_DEPTH” which is by default set to 5 and stops the call when it exceeds this limit.

An attacker can exploit this by providing the header with the maximum number of calls that bypasses the middleware entirely.

GET /admin HTTP/1.1  Host: example-site.com  x-middleware-subrequest:src/middleware:src/middleware:src/middleware:src/middleware:src/middleware

How to Know If You are at Risk?

Since Next.js middleware bypass is a huge web app security threat, you must be anxious to know if you are at risk. It’s important to promptly take the right steps to mitigate the risk. Your chances of being at risk are higher if – one, your application’s security controls depend on Next.js middleware, using self-hosted deployments, and two, you are using next start and with output: ‘standalone’ to run your self-hosted application or site.

Applications are in particular at risk when:

• Authorization and authentication are done via middleware.
• Using middleware to implement security headers like CSP (Content Security Policy).
• Using middleware for path rewriting to prevent access to specific routes.

Your application isn’t affected if hosted on Netlify or Vercel. Applications that are delayed as static exports are also not affected.

How to Mitigate the Risk of CVE-2025-29927?

You can mitigate CVE-2025-29927 risk by the following methods.

Update Immediately:

• If using Next.js 12.x, update to 12.3.5 or above.
• If using Next.js 13.x, update to 13.5.9 or above.
• If using Next.js 14.x, update to 14.2.25 or above.
• If using Next.js 15.x, update to 15.2.3 or above.

Do this if an update isn’t possible immediately:

• Restrict the “x-header-subrequest” header on the edge or proxy.
• If you are using Cloudflare, you can enable Managed WAF.

Discover Next.js Vulnerabilities – No Configuration, Scan in Minutes, and Detailed Report with Remediation Steps! Contact Us and Start Now

Check Your App with ZeroThreat’s Next-gen DAST

Get insights into your threat landscape in minutes with ZeroThreat to check if your application is affected by CVE-2025-29927 and thousands of other vulnerabilities. It is an vulnerability scanner that offers 98.9% accurate results and discovers vulnerabilities with near-zero false positives. It requires no configuration to conduct vulnerability scans and requires no technical skills. It’s easy to integrate into your DevOps workflow and existing security tools. Try it for free now.