DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-29927: Next.js Middleware Bypass: When 'I'm With The Band' Actually Works

#security #cve #cybersecurity

Next.js Middleware Bypass: When 'I'm With The Band' Actually Works

Vulnerability ID: CVE-2025-29927
CVSS Score: 9.1
Published: 2025-03-21

A critical authorization bypass in the Next.js framework allows attackers to skip middleware execution entirely by injecting a specific internal HTTP header. This effectively removes the 'bouncer' from the door of your application, granting unauthorized access to protected routes.

TL;DR

By sending the x-middleware-subrequest header, attackers can trick the Next.js router into believing a request has already passed security checks. This bypasses authentication and access controls defined in middleware.ts. Patched versions introduce a server-side secret to validate this header.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-285 (Improper Authorization)
  • CVSS v3.1: 9.1 (Critical)
  • Attack Vector: Network (AV:N)
  • EPSS Score: 92.90%
  • Exploit Status: Active / High Availability
  • KEV Status: Not Listed (Monitoring Recommended)

Affected Systems

  • Next.js Framework (Self-Hosted)
  • Node.js Applications using Next.js Middleware
  • Dockerized Next.js deployments
  • Next.js: 11.1.4 - 12.3.4 (Fixed in: 12.3.5)
  • Next.js: 13.0.0 - 13.5.8 (Fixed in: 13.5.9)
  • Next.js: 14.0.0 - 14.2.24 (Fixed in: 14.2.25)
  • Next.js: 15.0.0 - 15.2.2 (Fixed in: 15.2.3)

Code Analysis

Commit: 52a078d

Initial fix implementation adding subrequest ID validation

if (header === 'x-middleware-subrequest' && headers['x-middleware-subrequest-id'] !== (globalThis as any)[Symbol.for('@next/middleware-subrequest-id')]) { delete headers['x-middleware-subrequest'] }
Enter fullscreen mode Exit fullscreen mode

Commit: 5fd3ae8

Backport of fix to older versions

N/A
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade Next.js to the latest patched version.
  • Implement WAF rules to strip specific internal headers.
  • Migrate to Vercel hosting (which manages this at the infrastructure level).

Remediation Steps:

  1. Identify the current Next.js version in package.json.
  2. Update to one of the safe versions: 12.3.5, 13.5.9, 14.2.25, or 15.2.3.
  3. If patching is delayed, add a rule to Nginx: proxy_set_header x-middleware-subrequest "";
  4. Verify the fix by attempting the curl exploit against your staging environment.

References

Read the full report for CVE-2025-29927 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)