- by x32x01 ||
A critical vulnerability in Next.js middleware (CVE-2025-29927, CVSS 9.1) allows attackers to bypass authentication and authorization checks.
The root cause: improper trust of the internal header x-middleware-subrequest.
How Does the Exploit Work?
Attackers can spoof the x-middleware-subrequest header in their HTTP requests. When Next.js sees this header, it treats the request as an “internal subrequest”, skipping middleware checks like authentication or authorization.
Real Example Payload
Result: The attacker gets direct access to /admin/dashboard without logging in.
Middleware security = bypassed!
Who is Affected?
Next.js versions vulnerable to this attack:
How to Fix It
Upgrade to safe versions:
For Nginx / Cloudflare / Reverse Proxy, block or strip the header:
Real-World Detection
Key Takeaway
Middleware ≠ Complete Security
Next.js CVE-2025-29927 shows how a simple header trick can give attackers free access if apps are unpatched.
Post Caption Suggestion for TabCode Forums
Next.js Under Attack!
A new Critical CVE (2025-29927) allows hackers to bypass authentication with a simple header trick.
Stay patched. Stay secure.
The root cause: improper trust of the internal header x-middleware-subrequest.
How Does the Exploit Work? 
Attackers can spoof the x-middleware-subrequest header in their HTTP requests. When Next.js sees this header, it treats the request as an “internal subrequest”, skipping middleware checks like authentication or authorization.Real Example Payload 
Code:
GET /admin/dashboard HTTP/1.1
Host: vulnerable-app.com
x-middleware-subrequest: middleware:middleware:middleware:middleware:middlewareWho is Affected?
Next.js versions vulnerable to this attack:- 11.1.4 → 13.5.6
- Versions below 14.2.25
- Versions below 15.2.3
How to Fix It 
Patch Immediately 
Upgrade to safe versions:- 12.3.5+
- 13.5.9+
- 14.2.25+
- 15.2.3+
Temporary Workaround 
For Nginx / Cloudflare / Reverse Proxy, block or strip the header: Code:
proxy_set_header x-middleware-subrequest "";
Defense in Depth 
- Don’t rely solely on middleware.
- Add route-level authentication checks.
- Monitor logs for suspicious x-middleware-subrequest usage.
Real-World Detection 
- Security companies like Akamai and Datadog have already observed active exploit attempts.
- A Nuclei template is available on GitHub to scan vulnerable apps.
Key Takeaway 
Middleware ≠ Complete Security
- Attackers can spoof headers to trick your application.
- Always combine middleware, endpoint-level checks, and active monitoring to stay protected.
Next.js CVE-2025-29927 shows how a simple header trick can give attackers free access if apps are unpatched.
Post Caption Suggestion for TabCode Forums 
Next.js Under Attack! A new Critical CVE (2025-29927) allows hackers to bypass authentication with a simple header trick.
- Running Next.js <15.2.3? → vulnerable!
- Patch now or risk giving attackers free access to admin routes.
Stay patched. Stay secure. Last edited: