CVE-2025-29927
CVSS Score: 9.1
High Severity
A newly discovered high-severity vulnerability in Next.js (CVE-2025-29927) is raising serious concerns for developers and businesses self-hosting their web applications. Scoring 9.1 on the CVSS scale, this flaw enables attackers to bypass middleware-based authentication checks—granting unauthorized access to protected application routes.
If your application uses
next startwith output: standalonethis issue requires immediate action. What’s the Vulnerability?
The core of the issue lies in how Next.js middleware validates internal HTTP headers. Specifically, the framework mishandles the x-middleware-subrequest header, which is intended to help avoid recursive routing by flagging internal subrequests.
Unfortunately, Next.js does not validate this header properly, allowing threat actors to spoof it and effectively bypass middleware checks such as:
- Authentication filters
- Authorization logic
- Session verification
This means attackers can access routes that should only be available to logged-in users or administrators.
Who’s Affected?
This vulnerability primarily affects self-hosted Next.js applications that utilize the
next start command along withoutput: standalone.The setups listed below remain unaffected: - Applications deployed as static exports
- Applications hosted on Vercel or Netlify
If your application is self-managed and set up as outlined, it’s probably vulnerable to this flaw.
How the Exploit Works
Middleware in Next.js handles security preprocessing—verifying users, applying headers, and more. It uses the
x-middleware-subrequestheader to identify internal requests and prevent routing loops.
However, this header’s value is often predictable, typically reflecting middleware file paths like (e.g.,
src/middleware.Consequently, attackers can craft requests that replicate internal subrequests by inserting the appropriate header value.
If they succeed, this method can bypass authentication and other vital security checks, providing access to sensitive sections of the application.
Real-World Exploitation Example
Security researchers have detected exploit attempts aimed at this vulnerability. For instance, attackers have dispatched requests containing:
x-middleware-subrequest: src/middleware:src/middleware:src/middleware
This method emulates several internal subrequests within a single HTTP call, imitating internal processes in a manner that can deceive the application into providing access.
Importantly, this vulnerability does not necessitate prior authentication, allowing attackers to exploit it to:
- Access admin interfaces
- Bypass login workflows
- Retrieve sensitive information
- Combine the exploit with additional vulnerabilities to achieve a wider effect.
How to Fix It
-
12.3.5 -
13.5.9 -
14.2.25 -
15.2.3
If you are self-hosting and using a vulnerable version, it is highly advisable to upgrade without delay.
If you cannot apply the patch right away, consider a temporary measure by blocking external requests that contain the
x-middleware-subrequestheader. However, proceed with caution—some valid internal systems or tools may depend on this header. Assess its usage thoroughly before applying any blocking rules. Best Practices for Mitigation and Prevention
To reduce the risk of exposure to this and related vulnerabilities, consider these best practices:
- Stay up to date with updates: Regularly update your application dependencies, including frameworks such as Next.js.
- Avoid reliance on client-controlled headers: Ensure server-side validation to protect against spoofing.
- Utilize a layered security approach: Do not depend solely on middleware; implement authentication and authorization at both the route and API levels.
-
Keep track of application logs and network traffic: Look for and probe any suspicious or repeated use of the
x-middleware-subrequestheader.
Beyond the Patch: Securing Middleware in Modern Apps
CVE-2025–29927 highlights the importance of secure middleware practices and the risks associated with inadequately validated internal mechanisms. While middleware offers a powerful way to manage requests, this situation illustrates how a single overlooked detail can lead to a significant vulnerability.
If you are self-hosting a Next.js application, do not hesitate to act. Patch the affected versions or apply strict header verification policies to reduce your attack surface.
To secure modern web applications, there should be strong vigilance, timely patching, and a solid understanding of how internal characteristics can be misused in external contexts.
