CVE-2025-29927: Next.js Middleware Bypass Vulnerability Explained

On March 21st, 2025, Vercel disclosed a critical vulnerability affecting Next.js middleware [1]. CVE-2025-29927 is an authorization bypass vulnerability that impacts the framework's middleware system, which is often used by developers to enforce authentication, authorization, path rewriting, server-side redirects, and security-related headers like Content Security Policy (CSP). Given the popularity of Next.js, with millions of downloads weekly, the vulnerability may have a severe impact on services that use vulnerable versions of Next.js.

In this blog, we explained how the Next.js CVE-2025-29927 vulnerability works and how organizations can defend against CVE-2025-29927 attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Next.js CVE-2025-29927 Vulnerability Explained

Next.js is an open-source web development framework built on top of React, designed to make building fast, scalable, and user-friendly web applications. It is commonly used as a middleware, which allows developers to run custom code for tasks like authentication, redirects, and modifying responses before a request reaches the final page. 

On February 27th, 2025, security researchers reported to Vercel that Next.js is vulnerable to authentication bypass [2]. The vulnerability allows adversaries to gain unauthorized access to protected routes such as "/dashboard/admin". CVE-2025-29927 has a CVSS score of 9.1 (Critical). 

This vulnerability affects the Next.js versions below, and organizations are advised to patch their vulnerable Next.js applications without delay.

How Next.js CVE-2025-29927 Exploit Works?

CVE-2025-29927 vulnerability is caused by the misuse of a special internal HTTP header called x-middleware-subrequest. This header was originally designed for internal framework operations to prevent middleware from processing the same request repeatedly, thus avoiding infinite loops. However, a design flaw allowed external attackers to manipulate this header and control how the middleware operated. By crafting a request with a specific x-middleware-subrequest value, attackers could trick the application into skipping middleware execution entirely.  As a result, any security controls, such as access restrictions or session validation implemented in the middleware, could be completely bypassed.

The example HTTP GET request below exploits the CVE-2025-29927 vulnerability to access the admin dashboard without authentication.

Next.js CVE-2025-29927 Vulnerability Exploit Example

Workaround for CVE-2025-29927 Vulnerability

If patching is not immediately possible, implementing a workaround is essential to protect vulnerable Next.js applications from potential exploitation. The primary goal of the workaround is to prevent external requests from reaching the Next.js application with the x-middleware-subrequest header, which is the key component attackers leverage to bypass middleware-based authorization and security controls.

The most effective approach is to strip this header as early as possible in the request handling process. If your application is deployed behind a load balancer or a reverse proxy, such as AWS Elastic Load Balancer (ELB), Cloudflare, or any similar service, you can configure rules to remove the x-middleware-subrequest header from all incoming traffic. By doing this, even if an attacker sends a malicious request containing this header, it will not reach the vulnerable Next.js application and cannot influence middleware execution.

Alternatively, for web servers like Nginx or Apache in front of the vulnerable Next.js application, users can modify the server configuration to strip or unset the header. For Nginx, users can use the proxy_set_header directive to explicitly set the x-middleware-subrequest header to an empty value. In Apache, the mod_headers module allows you to unset the header entirely using the RequestHeader unset directive. Both methods ensure that the header is removed before the request is forwarded to your application.

If your deployment uses a custom Node.js server, such as an Express.js server, you can implement middleware at the application level to delete the header from each incoming request [3]. This is done by defining a small piece of middleware code that runs before Next.js processes the request. The code deletes the x-middleware-subrequest header from the request object and then calls the next function to continue processing.

How Picus Helps Simulate Next.js CVE-2025-29927 Attacks?

We also strongly suggest simulating the Next.js CVE-2025-29927 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Next.js CVE-2025-29927 vulnerability exploitation attacks:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of the Picus Security Validation Platform.

References

[1] "Authorization Bypass in Next.js Middleware," GitHub. Available: https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw

[2] ⚔️ V. R., "Next.js and the corrupt middleware: the authorizing artifact," zhero_web_security, Mar. 18, 2025. Available: https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

[3] P. Chaddha, "CVE-2025-29927: Next.js Middleware Authorization Bypass - Technical Analysis — ProjectDiscovery Blog." Available: https://projectdiscovery.io/blog/nextjs-middleware-authorization-bypass