A newly disclosed critical security vulnerability in the popular Next.js React framework, tracked as CVE-2025-29927, has sent ripples through the developer community due to its potential to bypass middleware-based authorization mechanisms. With a CVSS score of 9.1, this vulnerability is classified as critical, making immediate attention and action essential for all developers using affected versions of Next.js.
Vulnerability Overview
Discovered and publicly disclosed by security researcher Rachid Allam (aka zhero and cold-try), this flaw targets how Next.js handles the x-middleware-subrequest header—a mechanism originally designed to prevent infinite middleware request loops. Unfortunately, under certain conditions, malicious actors can manipulate this header to skip middleware execution entirely, effectively bypassing cookie-based or other forms of authorization checks implemented in middleware.
The flaw poses the greatest risk to applications that rely solely on middleware for access control, especially those protecting sensitive routes like admin panels or privileged APIs. In such scenarios, attackers could potentially access data or functionality reserved for authenticated or high-level users—without proper authorization.
Vulnerability Summary
| Attribute | Details |
|---|---|
| Threat Name | CVE-2025-29927 |
| Threat Type | Middleware Authorization Bypass |
| Detection Names | None assigned; monitored via CVE databases and source code audits |
| CVSS Score | 9.1 (Critical) |
| Affected Framework | Next.js |
| Affected Versions | Versions prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3 |
| Symptoms of Exploitation | Unauthorized access to protected routes, elevated privileges without login |
| Damage Potential | High – Privileged access, data exposure, broken access control |
| Distribution Method | Exploitation via specially crafted external HTTP requests |
| Known Exploits | Publicly disclosed – potential for mass exploitation |
| Danger Level | Critical |
| Reported By | Rachid Allam (zhero, cold-try) |
| Associated Emails | Not applicable |
What Makes CVE-2025-29927 So Dangerous?
The key issue here is middleware-only authorization. Many Next.js developers use middleware as a lightweight solution for verifying user sessions, roles, or other security tokens before allowing access to specific pages. However, this vulnerability allows malicious clients to inject the x-middleware-subrequest header in external requests—tricking Next.js into thinking the request has already passed through middleware.
This opens the door to unauthorized access, especially in applications that store sensitive user data, enable account management, or offer admin functionalities without additional backend security layers.
JFrog researchers have emphasized the importance of layered security in modern applications. Depending entirely on frontend or middleware authorization can lead to devastating consequences when such a bypass is available.
Patched Versions and Developer Action
The Next.js development team has already released patches addressing this issue in the following versions:
- 12.3.5
- 13.5.9
- 14.2.25
- 15.2.3
Developers are strongly urged to upgrade to the appropriate patched version immediately. For those unable to update right away, it is strongly recommended to block all external requests containing the x-middleware-subrequest header to reduce exposure.
Removal & Mitigation Guide for CVE-2025-29927
The CVE-2025-29927 vulnerability in the Next.js framework allows attackers to bypass middleware-based authorization by manipulating the x-middleware-subrequest header. To protect your application, follow the steps below to remove the vulnerability and harden your security posture.
Step 1: Upgrade to a Patched Version
The safest and most effective way to address this flaw is by upgrading Next.js to a patched version.
Upgrade Targets:
- 12.3.5
- 13.5.9
- 14.2.25
- 15.2.3
How to upgrade:
Open your terminal and run the appropriate command for your project:
bashCopyEditnpm install next@12.3.5
# or for newer versions
npm install next@15.2.3
Then, rebuild your project:
bashCopyEditnpm run build
Step 2: Implement Temporary Header Filtering (If You Can’t Patch)
If you’re unable to upgrade immediately, implement a server-side filter to block requests containing the x-middleware-subrequest header from untrusted sources.
Example (Next.js Custom Server – Express):
javascriptCopyEditconst express = require('express');
const next = require('next');
const app = next({ dev: false });
const handle = app.getRequestHandler();
app.prepare().then(() => {
const server = express();
// Header check middleware
server.use((req, res, next) => {
if (req.headers['x-middleware-subrequest']) {
return res.status(403).send('Forbidden: Malicious header detected');
}
next();
});
server.all('*', (req, res) => {
return handle(req, res);
});
server.listen(3000, () => {
console.log('Server listening on port 3000');
});
});
Example (Vercel Middleware – Edge Function Filter):
jsCopyEditimport { NextResponse } from 'next/server';
export function middleware(request) {
const headerValue = request.headers.get('x-middleware-subrequest');
if (headerValue) {
return new Response('Forbidden', { status: 403 });
}
return NextResponse.next();
}
Step 3: Strengthen Authorization Logic
Avoid relying solely on middleware for authentication or access control.
- Use server-side checks on API routes and page-level logic.
- Verify user sessions or tokens within your server logic (e.g., inside
getServerSidePropsor API route handlers). - Implement role-based access control (RBAC) at the route or controller level, not just middleware.
Step 4: Test for Exploitable Behavior
After patching or mitigating:
- Simulate a forged request with the
x-middleware-subrequestheader. - Attempt to access restricted routes or admin panels.
- Verify that the request is denied or redirected appropriately.
Use tools like Postman, curl, or Burp Suite to test request manipulation:
bashCopyEditcurl -H "x-middleware-subrequest: 1" https://yourdomain.com/admin
Step 5: Monitor and Log Suspicious Activity
- Set up WAF (Web Application Firewall) rules to detect suspicious headers.
- Use logging tools to monitor for repeated requests containing the
x-middleware-subrequestheader. - Investigate anomalies in access logs, especially for admin or restricted routes.
Conclusion
The disclosure of CVE-2025-29927 highlights the dangers of trusting middleware as the only layer of authorization. With the technical details now publicly available, threat actors are likely to exploit this vulnerability if developers delay applying patches or implementing effective mitigations. If your application is built on Next.js and uses middleware for authorization, your user data and protected routes may already be at risk. Update now—before unauthorized visitors find their way in.
