CAPLEX

Critical Middleware Vulnerability in Next.js (CVE-2025-29927)

Researchers have discovered a critical security vulnerability in Next.js that allows attackers to easily bypass middleware authorization measures. The vulnerability, designated CVE-2025-29927, was discovered by Rachid Allam and Yasser Allam and since assigned a base CVSS score of 9.1. By skipping checks for authorization cookies, attackers can potentially gain access to restricted areas of applications like admin tools and dashboards. Because of the ease of exploitation and high impact, this vulnerability poses a significant risk to affected systems. ​

What is CVE-2025-29927?

CVE-2025-29927 is a critical vulnerability in Next.js, a popular React-based web framework, that was publicly disclosed in March 2025. It affects self-hosted applications running versions 11.1.4 through 15.2.2 using the next start command with output: 'standalone'.

The vulnerability allows attackers to bypass authorization middleware by injecting a specially crafted x-middleware-subrequest HTTP header, granting unauthorized access to protected resources. With a CVSS score of 9.1, this flaw poses a serious security risk, particularly for applications that rely solely on middleware for access control without implementing additional server-side authorization checks. While deployments on platforms like Vercel or using static exports are not affected, self-hosted instances must be promptly updated or reconfigured to mitigate potential exploitation.

Affected Versions and Fixes

CVE-2025-29927 impacts self-hosted Next.js applications running versions 11.1.4 through 15.2.2, specifically when deployed using the next start command with the output: 'standalone' configuration.

The vulnerability is present in environments where applications rely solely on middleware-based authorization, without implementing additional server-side authentication or access control mechanisms. A key condition for exploitation is the acceptance of the x-middleware-subrequest HTTP header from external sources, which can be used by attackers to trick the application into bypassing middleware logic. Applications deployed on Vercel, Netlify, or as static exports are not vulnerable, as those environments do not expose the middleware in a way that can be exploited. The issue has been patched in the following versions: 15.2.3, 14.2.25, 13.5.9, and 12.3.5, and all users are strongly encouraged to upgrade to these or later versions to mitigate the risk.

Steps to Remediate or Mitigate the Vulnerability

To address CVE-2025-29927, consider the following actions:

  1. Update Next.js: Upgrade to the latest patched versions:​
    • For Next.js 15.x, update to version 15.2.3.​
    • For Next.js 14.x, update to version 14.2.25.
    • For Next.js 13.x, update to version 13.5.9.​
    • For Next.js 12.x, update to version 12.3.5.
  2. Implement workarounds if immediate patching isn’t possible:
    • Filter incoming requests: Configure load balancers or reverse proxies to remove the x-middleware-subrequest header from incoming requests.
    • Web server configuration: For Nginx, use the proxy_set_header directive to set x-middleware-subrequest to an empty value. In Apache, utilize the RequestHeader unset directive to remove the header.
  3. Enhance authorization mechanisms:
    • Implement additional server-side authorization checks beyond middleware to validate user permissions.

Previous Notable Vulnerabilities in Next.js

Monitoring your assets and vendors using Next.js is an important part of an ongoing security program. Next.js has disclosed several vulnerabilities in the past and, like all software, will have more in the future. Examples of prior issues– and reasons to continue monitoring for Next.js vulnerabilities– include:​

  • Denial of service (DoS) with server actions (January 2025): This vulnerability could be exploited to cause service disruptions.
  • Authorization bypass in Next.js (December 2024): A high-severity flaw that allowed unauthorized access under certain conditions.
  • HTTP request smuggling (May 2024): This issue could enable attackers to interfere with the processing of HTTP requests between clients and servers. 

How UpGuard Helps

The UpGuard platform detects CVE-2025-29927 using a two step verification mechanism that determines whether Middleware headers are leaked and then checks for sensitive, accessible content. When the vulnerability has been confirmed, it can be found in the UpGuard platform.

Amongst the S&P 500, the Next.js vulnerability has been detected on IP addresses for 23 companies.

UpGuard vendor portfolio for the S&P 500 showing selection of companies with CVE-2025-28827

The vulnerability can be identified on individual domains or IPs, or across all vendors in the Portfolio Risk Profile view. Any vendors that are vulnerable to CVE-2025-29927 should be contacted to speed remediation, as discovery and exploitation of this vulnerability is trivial.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button