A critical vulnerability (CVE-2025-29927) in the popular Next.js framework allows attackers to bypass authorization checks. This impacts all versions before 15.2.3, 14.2.25, 13.5.9, and 12.3.5.
Next.js, a React framework boasting over 9 million weekly npm downloads, is used by major companies like TikTok, Twitch, Hulu, Netflix, Uber, and Nike. Its middleware handles authentication and authorization, but this flaw circumvents these safeguards.
The vulnerability centers around the ‘x-middleware-subrequest’ header. Next.js uses this header to prevent middleware from endlessly triggering itself. The runMiddleware function checks for this header; if present with a specific value, it bypasses the entire middleware chain, forwarding the request directly.
Researchers Allam Rachid and Allam Yasser (inzo_) discovered that an attacker can manipulate this header, effectively creating a “universal key allowing rules to be overridden.” Their technical write-up details this exploitation.
This vulnerability affects self-hosted Next.js applications using next start with output: standalone. Vercel and Netlify-hosted apps, or those deployed as static exports, are not affected. However, any environment using middleware for authorization without further application-level validation is vulnerable.
If immediate patching isn’t feasible, blocking external requests containing the ‘x-middleware-subrequest’ header is recommended as a temporary mitigation. Update to the latest versions (15.2.3, 14.2.25, 13.5.9, or 12.3.5 or later) as soon as possible.
