Critical flaw in Next.js lets hackers bypass authorization

A critical severity vulnerability has been discovered in the Next.js open-source web development framework, potentially allowing attackers to bypass authorization checks.

The flaw, tracked as CVE-2025-29927, enables attackers to send requests that reach destination paths without going through critical security checks.

Next.js is a popular React framework with more than 9 million weekly downloads on npm. It is used for building full-stack web apps and includes middleware components for authentication and authorization.

Front-end and full-stack developers use it to build web apps with React. Some of the more notable companies using it for their sites/apps are TikTok, Twitch, Hulu, Netflix, Uber, and Nike.

Authorization bypass

In Next.js, middleware components run before a request hits an application routing system and serve purposes like authentication, authorization, logging, error handling, redirecting users, applying geo-blocking or rate limits.

To prevent infinite loops where middleware re-triggers itself, Next.js uses a header called ‘x-middleware-subrequest’ that dictates if middleware functions should be applied or not.

The header is retrieved by the ‘runMiddleware’ function responsible for processing incoming requests. If it detects the ‘x-middleware-subrequest’ header, with a specific value, the entire middleware execution chain is bypassed and the request is forwarded to its destination.

An attacker can manually send a request that includes the header with a correct value and thus bypass protection mechanisms.

According to researchers Allam Rachid and Allam Yasser (inzo_), who discovered the vulnerability and published a technical write-up, “the header and its value act as a universal key allowing rules to be overridden.”

The vulnerability impacts all Next.js versions before 15.2.3, 14.2.25, 13.5.9. and 12.3.5. Users are recommended to upgrade to newer revisions as soon as possible, since technical details for exploiting the security issue are public.

Next.js’ security bulletin clarifies that CVE-2025-29927 impacts only self-hosted versions that use ‘next start’ with ‘output: standalone’. Next.js apps apps hosted on Vercel and Nerlify, or deployed as static exports, are not affected.

Also affected are environments where middleware is used for authorization or security checks and there is no validation later in the application.

If patching is not possible at the time, the recommendation is to block external user requests that include the ‘x-middleware-subrequest header’.