Next.js Middleware Flaw Lets Attackers Bypass Authorization

A recent collaborative effort by researchers Rachid Allam and Yasser Allam has exposed a critical vulnerability within the Next.js framework, a widely used JavaScript framework based on React with nearly 10 million weekly downloads.

Their research, documented in a detailed publication, reveals a flaw in the Next.js middleware that allows for unauthorized access and control, impacting all versions of the framework. This flaw, designated CVE-2025-29927 and rated as critical, allows unauthorized access to protected resources.

Reportedly, the vulnerability specifically targets the middleware function, which is a component designed to execute code before a request is completed and is frequently used for crucial security functions, including authentication and authorization. However, the discovered vulnerability allows attackers to bypass these security measures.

The core of the vulnerability lies in the handling of the “x-middleware-subrequest” header. By manipulating this header with a specific value, attackers can effectively ignore the middleware’s intended rules, gaining unauthorized access. As Allam explained, “The header and its value act as a universal key allowing rules to be overridden.”

The vulnerability stems from code intended to prevent recursive requests, which could lead to infinite loops. Ironically, this very code introduced a point of failure, enabling the authorization bypass.

The value required for this bypass is derived from the middleware’s path, which, depending on the Next.js version, can be “middleware,” “src/middleware,” or a variation involving the “pages” directory in older versions.

Researchers demonstrated various exploits, including authorization/rewrite bypasses, Content Security Policy (CSP) bypasses, and even potential Denial-of-Service (DoS) attacks through cache poisoning.

“If the site has a cache/CDN system, it may be possible to force the caching of a 404 response, rendering its pages unusable,” they noted, highlighting the wide range of potential impacts.

They initially believed that only versions 12.0.0 and 12.0.7 were affected but later identified that all versions were vulnerable and duly notified the Next.js team.

The team promptly acknowledged the vulnerability, issuing an advisory and providing patches for vulnerable versions.

• For Next.js 15.x, this issue is fixed in 15.2.3.
• For Next.js 14.x, this issue is fixed in 14.2.25.
• For Next.js 13.x, this issue is fixed in 13.5.9.
• For Next.js 12.x, this issue is fixed in 12.3.5.

Earlier versions require workarounds, such as blocking external requests containing the “x-middleware-subrequest” header.

Notably, applications hosted on Vercel or Netlify have been automatically protected.  The framework’s maintainers have since admitted to missing “the mark on partner communications” and have committed to improving future security advisories by establishing a dedicated partner mailing list.

The Next.js documentation, which previously highlighted middleware’s role in authentication and authorization, has since been updated to emphasize that it should not be the sole security measure. 

Nevertheless, the discovery and disclosure of CVE-2025-29927 show the importance of proper security checks, especially in widely used frameworks like Next.js.