
May 1, 2025
CVE-2025-29927: Next.js Middleware Authorization Bypass
In this CVE blog, we explore a vulnerability in Next.js stemming from the improper trust of the x-middleware-subrequest header.
In March 2025, a critical vulnerability identified as CVE-2025-29927 was disclosed in Next.js, a popular React-based web framework. The flaw affects versions prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3. It stems from improper trust of the x-middleware-subrequest header, which is meant to prevent infinite middleware loops. By spoofing this header, attackers can bypass middleware logic entirely including authentication and authorization mechanisms thereby gaining unauthorized access to protected routes in vulnerable applications.
Due to the widespread reliance on middleware in Next.js apps, the impact is significant.
- CVE ID: CVE-2025-29927
- Severity: Critical
- CVSS Score: 9.1
- EPSS Score: 92.56
- Published: March 2025
- Affected Versions: < 12.3.5, < 13.5.9, < 14.2.25, < 15.2.3
- Patched Versions: 12.3.5, 13.5.9, 14.2.25, 15.2.3
Next.js uses middleware to enforce security policies such as authentication and authorization before routing requests. To avoid infinite loops during internal redirects or server-side rendering (SSR), it includes a special header x-middleware-subrequest in internal requests.
The flaw lies in the fact that this header is blindly trusted by the framework without verifying its origin. An attacker can spoof this header in a request, tricking the server into skipping the middleware layer entirely. This effectively bypasses all access control logic enforced by middleware, granting unauthorized access to protected routes.
An attacker sends a request with a spoofed x-middleware-subrequest header to impersonate an internal request.
Example Request:
GET /admin HTTP/1.1 Host: vulnerable-app.com x-middleware-subrequest: middleware |
This tricks the server into thinking it’s a trusted internal request, bypassing middleware logic such as session or role validation.
Impact
Successful exploitation can allow attackers to:
- Access protected routes without authentication
- Bypass critical authorization logic
- Perform privilege escalation
- Reach internal-only functionality exposed through middleware
An attacker could leverage the publicly available PoC to compromise vulnerable systems, like the one found in our OffSec Lab (available in Proving Grounds).
1. Check Your Next.js Version
- npm list next or yarn list next
- You are vulnerable if you’re running a version below:
- 12.3.5
- 13.5.9
- 14.2.25
- 15.2.3
2. Middleware Review
- Identify routes relying on middleware for access control.
3. Log Analysis
- Check access logs for unusual or unauthorized access attempts using x-middleware-subrequest.
4. Header Inspection
- Monitor for requests that explicitly include the x-middleware-subrequest header from external IPs.
Immediate Fix:
Upgrade Next.js to:
- 12.3.5+
- 13.5.9+
- 14.2.25+
- 15.2.3+
1. Workaround (if upgrade isn’t possible):
- Block or strip the `x-middleware-subrequest` header at the reverse proxy or edge layer (e.g., Nginx, Cloudflare, etc.)
2. Long-Term Best Practices:
- Don’t rely solely on middleware for authentication/authorization.
- Implement fallback access controls at the route/controller level.
https://nvd.nist.gov/vuln/detail/CVE-2025-29927
https://nextjs.org/blog/cve-2025-29927
https://securitylabs.datadoghq.com/articles/nextjs-middleware-auth-bypass
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec

Research & Tutorials
CVE-2024-12029 – InvokeAI Deserialization of Untrusted Data vulnerability
CVE-2024-12029: A critical deserialization vulnerability in InvokeAI’s /api/v2/models/install endpoint allows remote code execution via malicious model files. Exploit risk for AI art servers.
Jul 17, 2025
0
Research & Tutorials
What is Phishing? Introduction to Phishing Demo (for Beginners)
Learn how phishing attacks work and how to spot them. Watch OffSec’s animated video to protect yourself from scams, spoofed sites, and social engineering.
Jul 15, 2025
2 min read

Research & Tutorials
CVE-2025-27636 – Remote Code Execution in Apache Camel via Case-Sensitive Header Filtering Bypass
Discover the critical Apache Camel vulnerability (CVE-2025-27636) that allows remote code execution via case-sensitive HTTP header manipulation in the exec component. Learn how attackers exploit this flaw and how to mitigate it.
Jul 10, 2025
2 min read