A severe vulnerability tracked as CVE-2025-29927, with a CVSS score of 9.1, has been identified in the Next.js React framework. If exploited, it could result in an authentication bypass under specific conditions.
Next.js is a framework based on React that enables fast and scalable web application development. It supports server-side rendering (SSR), static site generation (SSG), and API routes. Created by Vercel, it provides automatic code splitting, image optimization, and built-in routing, rendering it perfect for contemporary web development with enhanced performance and SEO advantages.
Technical Details
As a comprehensive framework, Next.js includes built-in middleware that is key in authorization checks. It verifies session cookies and grants users the necessary permissions, ensuring access to specific paths remains protected under the required conditions.
The runMiddleware function in Next.js middleware checks the header’s value to determine whether middleware should be applied. If the correct value is added to this header, the request can bypass intermediary checks, overriding security rules. To exploit this, we need to identify the correct middlewareInfo.name. But how do we find it?
Surprisingly, middlewareInfo.name is highly predictable. To make an educated guess, we first must understand how middleware was configured in older versions.
Older Versions (Before Next.js 12.2)
Before version 12.2, middleware files had to be named _middleware.ts and placed inside the pages folder since the page router was the only available routing mechanism. Knowing this, we can construct a header that bypasses authorization checks entirely:
middleware-subrequest: pages/_middleware
If the middleware is used in nested paths, it runs top-to-bottom. We have two additional possibilities for the middlewareInfo to access a path protected by middleware. name value. These values, when passed in the x-middleware-subrequest Header, also allow authorization bypass:
middleware-subrequest: pages/dashboard/_middleware
or
middleware-subrequest: pages/dashboard/panel/_middleware
Next.js 12.2 and Later
Starting with version 12.2, middleware files no longer require an underscore in their name, nor do they need to be placed inside the pages folder. This simplifies the exploitation process. However, newer versions introduce the option to create a /src directory. Taking both scenarios into account, the header should look like one of the following:
middleware-subrequest: middleware
or
middleware-subrequest: src/middleware
Recent Versions and MAX_RECURSION_DEPTH
In more recent versions, an additional factor comes into play: MAX_RECURSION_DEPTH, which is set to 5 by default. Since there are only two possible filenames (middleware or src/middleware), we can construct a header that takes advantage of this recursion limit:
middleware-subrequest: middleware:middleware:middleware:middleware:middleware
or
middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware
Final Exploitation Step
If we try to access a middleware-protected endpoint without using the correct header value or valid credentials, the request will return a 404 Not Found error. However, if we include the appropriate header in our request, we can bypass authentication and gain access.
Impact
The impact of this vulnerability is highly severe. They grant attackers full system access, which could allow them to obtain or modify sensitive data. The risk is further heightened by the attack’s low complexity.
Products Affected
The vulnerability impacts all Next.js versions before 15.2.3, 14.2.25, 13.5.9. and versions above 11.1.4 before 13.5.6.
Solution and Mitigation
For Next.js 14.x, this issue is fixed in 14.2.25. For Next.js 15.x, this issue is fixed in 15.2.3. For Next.js versions 11.1.4 through 13.5.6, we recommend consulting the workaround below.
Workaround
If updating to a secure version is not an option, we recommend blocking external user requests that include the x-middleware-subrequest header from reaching your Next.js application.
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
