CVE-2025-29927 - Next.js Vulnerability

23/07/2025

Overview

In March 2025, security researchers Rachid Allam and Yasser Allam publicly disclosed a critical vulnerability identified as CVE-2025-29927, affecting Next.js—a widely used React framework for building full-stack web applications. This vulnerability allowed attackers to bypass middleware-based authorization checks, potentially granting unauthorized access to protected routes and sensitive data.

Timeline of Events

March 2025: Public disclosure of CVE-2025-29927 by researchers Rachid Allam and Yasser Allam.
Immediate patch releases by Next.js maintainers in versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Technical Analysis of the Vulnerability

Vulnerable Endpoint Analysis

Next.js middleware relies on an internal header named x-middleware-subrequest to prevent recursive middleware invocations and infinite loops. However, due to insufficient validation, attackers could manipulate this header, causing middleware logic to be skipped entirely. This bypass rendered critical security checks such as authorization and cookie validation ineffective.

Example of flawed code snippet:

const config = require('./config');

module.exports = (req, res, next) => {
  const middlewareFilepath = config.MIDDLEWARE_PATH;

  const subreq = req.headers['x-middleware-subrequest'];
  const subrequests = typeof subreq === 'string' ? subreq.split(':') : [];
  const middlewareInfo = { "name": middlewareFilepath, "version": "1.0.0" };
  const depth = subrequests.reduce((acc, curr) => (curr === middlewareFilepath ? acc + 1 : acc),0);

  if (!req.headers['origin']) {
    res.setHeader("X-Origin", "null");
  }

  if (subrequests.includes(middlewareInfo.name) || depth == config.MAX_DEPTH) {
    req.isInternalRequest = true;
    return next('route');
  }

  next();
};

This middleware logic allowed attackers to craft requests with spoofed x-middleware-subrequest headers, effectively skipping essential middleware checks.

Post-Incident Response

Next.js maintainers quickly responded by releasing patches addressing this vulnerability in versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, ensuring swift mitigation for affected users.

Lessons Learned

Avoid implicit trust of internal headers by implementing thorough validation.
Regular dependency updates and prompt patching remain essential to maintaining security.
Additional server-side checks beyond middleware should be incorporated to ensure layered security controls and resilience against similar vulnerabilities in the future.

We made a challenge reproducing this vulnerability.

It is available on our Weekly Incident game for 2 weeks.

Available languages:

Middleware.js

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.