Critical Middleware Bypass Vulnerability in Next.js (CVE-2025-29927)

Overview

CVE-2025-29927 is a critical security vulnerability in Next.js, a popular React framework for building full-stack web applications. This flaw allows attackers to bypass middleware checks, which are often used to enforce security measures like authentication, authorization, or other request-handling logic. The vulnerability stems from how Next.js handles the x-middleware-subrequest header, an internal mechanism designed to prevent infinite request loops. By crafting a request with this header, an attacker can skip middleware execution entirely, potentially accessing protected resources or bypassing critical security controls.

Technical Details

The issue affects Next.js versions from 11.1.4 up to, but not including, 14.2.25 and 15.2.3. It has a CVSS score of 9.1, classifying it as "Critical" due to its ease of exploitation—no authentication or user interaction is required—and its potential for significant impact, such as unauthorized access or data breaches.

Patching and Mitigation

The Next.js team patched this vulnerability in versions 14.2.25 and 15.2.3.

Workaround

For those unable to update immediately, a recommended workaround is to block external requests containing the x-middleware-subrequest header at the edge or proxy level, outside the application itself.

Impact and Scope

While commonly associated with bypassing authentication or authorization, the vulnerability's scope isn't limited to those cases—it can also affect other middleware functions, potentially enabling attacks like Content Security Policy (CSP) bypass or denial-of-service via cache poisoning, depending on the application's configuration.

Self-hosted Next.js applications using middleware with next start or output: 'standalone' are particularly at risk, whereas Vercel-hosted deployments were automatically patched.

Ref: https://nextjs.org/blog/cve-2025-29927