CVE-2025-29927
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Description
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Analysis
Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subrequest header. Attackers can send crafted requests that skip middleware entirely, bypassing authentication, authorization, and security headers enforced at the middleware layer.
Technical Context
Next.js middleware runs before route handlers and is commonly used for authentication, authorization, geo-restrictions, and CSP headers. The vulnerability exploits the x-middleware-subrequest internal header: when present with specific values, the framework treats the request as an internal subrequest and skips middleware execution entirely. This header is not stripped from external requests.
Affected Products
['Next.js 1.11.4 through 12.3.4', 'Next.js 13.0.0 through 13.5.8', 'Next.js 14.0.0 through 14.2.24', 'Next.js 15.0.0 through 15.2.2']
Remediation
Update to Next.js 12.3.5, 13.5.9, 14.2.25, or 15.2.3. If patching is not feasible, configure your reverse proxy or CDN to strip the x-middleware-subrequest header from all incoming requests. Do not rely solely on middleware for critical authorization checks.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today