Recently, an Authorization Bypass vulnerability was discovered in the Next.js framework (one of the most popular today) and was cataloged as CVE-2025-29927 and received a CVSS score of 9.1 (which is very critical). The flaw affects self-hosted apps that use Middleware or rely on it for security validations (the same does not apply to static sites running on Netlify or Vercel).
Speaking in technical terms, the middleware relies on X-Middleware-Subrequest HTTP header to prevent infinite recursion and application crashes. But when used for security checks, more specifically when it comes to granting permission to access restricted endpoints, for example, it is possible to bypass these security controls and access confidential paths.
Want an example? Consider an application scenario where a user without the administrative role is prohibited from accessing the administrative endpoint. However, he can do so by passing a special header with the middleware path (often /pages/_middleware or just middleware):
GET /administration HTTP/1.1
Host: vulnerable-website.com
User-Agent: Mozilla/5.0
x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware
In this case, the vulnerable application would return status code 200 OK, granting the malicious user access to the restricted endpoint. To mitigate this vulnerability, the best thing to do is to update the framework to the latest versions. Additionally, Next.js itself recommends stripping this header from requests (you can for example configure a rule in the load balancer or reverse proxy to do this.) if it is not possible to update.
Top comments (0)