Critical Next.js Framework Vulnerability Let Attackers Bypass Authorization

A newly discovered critical security vulnerability in the Next.js framework, designated CVE-2025-29927, poses a significant threat to web applications by allowing malicious actors to completely bypass authorization mechanisms.

NullSecurityX reports that the core of this vulnerability lies in Next.js’s middleware processing logic, specifically how it handles the x-middleware-subrequest header. This header was originally designed to prevent infinite middleware loops by identifying internal subrequests. However, flawed implementation allows external requests to abuse this mechanism.

When an attacker includes the appropriate x-middleware-subrequest header value in their HTTP request, the middleware incorrectly identifies it as an internal subrequest and skips authorization checks entirely. The exploitation varies across Next.js versions:

• Version 12.2 and Earlier: Attackers use x-middleware-subrequest: pages/_middleware to bypass middleware located in the pages directory.
• Version 12.2 and Later: The header value changes to x-middleware-subrequest: middleware for middleware files named middleware.ts.
• Version 13.2.0 and Later: Despite recursion depth protections, the fundamental vulnerability persists through repeated middleware names in the header.

To read the complete article see: Full Article