
May 1, 2025
CVE-2025-29927: Next.js Middleware Authorization Bypass
In this CVE blog, we explore a vulnerability in Next.js stemming from the improper trust of the x-middleware-subrequest header.
In March 2025, a critical vulnerability identified as CVE-2025-29927 was disclosed in Next.js, a popular React-based web framework. The flaw affects versions prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3. It stems from improper trust of the x-middleware-subrequest header, which is meant to prevent infinite middleware loops. By spoofing this header, attackers can bypass middleware logic entirely including authentication and authorization mechanisms thereby gaining unauthorized access to protected routes in vulnerable applications.
Due to the widespread reliance on middleware in Next.js apps, the impact is significant.
- CVE ID: CVE-2025-29927
- Severity: Critical
- CVSS Score: 9.1
- EPSS Score: 92.56
- Published: March 2025
- Affected Versions: < 12.3.5, < 13.5.9, < 14.2.25, < 15.2.3
- Patched Versions: 12.3.5, 13.5.9, 14.2.25, 15.2.3
Next.js uses middleware to enforce security policies such as authentication and authorization before routing requests. To avoid infinite loops during internal redirects or server-side rendering (SSR), it includes a special header x-middleware-subrequest in internal requests.
The flaw lies in the fact that this header is blindly trusted by the framework without verifying its origin. An attacker can spoof this header in a request, tricking the server into skipping the middleware layer entirely. This effectively bypasses all access control logic enforced by middleware, granting unauthorized access to protected routes.
An attacker sends a request with a spoofed x-middleware-subrequest header to impersonate an internal request.
Example Request:
GET /admin HTTP/1.1 Host: vulnerable-app.com x-middleware-subrequest: middleware |
This tricks the server into thinking it’s a trusted internal request, bypassing middleware logic such as session or role validation.
Impact
Successful exploitation can allow attackers to:
- Access protected routes without authentication
- Bypass critical authorization logic
- Perform privilege escalation
- Reach internal-only functionality exposed through middleware
An attacker could leverage the publicly available PoC to compromise vulnerable systems, like the one found in our OffSec Lab (available in Proving Grounds).
1. Check Your Next.js Version
- npm list next or yarn list next
- You are vulnerable if you’re running a version below:
- 12.3.5
- 13.5.9
- 14.2.25
- 15.2.3
2. Middleware Review
- Identify routes relying on middleware for access control.
3. Log Analysis
- Check access logs for unusual or unauthorized access attempts using x-middleware-subrequest.
4. Header Inspection
- Monitor for requests that explicitly include the x-middleware-subrequest header from external IPs.
Immediate Fix:
Upgrade Next.js to:
- 12.3.5+
- 13.5.9+
- 14.2.25+
- 15.2.3+
1. Workaround (if upgrade isn’t possible):
- Block or strip the `x-middleware-subrequest` header at the reverse proxy or edge layer (e.g., Nginx, Cloudflare, etc.)
2. Long-Term Best Practices:
- Don’t rely solely on middleware for authentication/authorization.
- Implement fallback access controls at the route/controller level.
https://nvd.nist.gov/vuln/detail/CVE-2025-29927
https://nextjs.org/blog/cve-2025-29927
https://securitylabs.datadoghq.com/articles/nextjs-middleware-auth-bypass
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec

Research & Tutorials
CVE-2024-39914 – Unauthenticated Command Injection in FOG Project’s export.php
Discover details about CVE-2024-39914, a critical unauthenticated command injection vulnerability in FOG Project ≤ 1.5.10.34. Learn how attackers can exploit export.php to execute system commands or deploy persistent webshells.
Jun 26, 2025
2 min read

OffSec News
What It Really Means to “Try Harder”
Discover how OffSec’s “Try Harder” mantra evolved into a mindset, and how it helps learners build grit, creativity, and real-world problem-solving skills.
Jun 23, 2025
7 min read

Research & Tutorials
CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage
CVE-2025-3248 is a critical RCE vulnerability in Langflow that allows unauthenticated attackers to execute arbitrary Python code via unsanitized input to exec(). Learn how it works and how to protect your system.
Jun 18, 2025
2 min read