A critical flaw discovered in the widely used software development framework, Next.js, has left experts in the tech world scrambling. The flaw, tracked as CVE-2025-29927, was found by security researcher Rachid Allam. CVSS score of this vulnerability is 9.1 out of 10 signifying critical risk. Websites that rely on Next.js middleware for authorization alone, without adding extra checks, are especially at risk. The flaw’s impact allows attackers to fully request access to unelevated pages such as sensitive admin pages.
Vulnerability Details and Impact
The vulnerability, which impacts websites using Next.js middleware to perform user authentication, allows attackers to skip these important checks. Without this simple oversight, a malicious user may be able to gain access to restricted and sensitive areas of a website. These resources can be things like admin login pages, and other highly privileged routes that absolutely should be protected.
"The vulnerability allows attackers to easily bypass authorization checks performed in Next.js middleware, potentially allowing attackers access to sensitive web pages reserved for admins or other high-privileged users." – JFrog
To their credit, Next.js recognized the shortcoming. It utilizes an internal request header called x-middleware-subrequest to prevent nested requests from causing infinite loops. It was found that this custom header could be spoofed to skip authorization checks.
"Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops." – Next.js
"It was possible to skip running middleware, which could allow requests to skip critical checks—such as authorization cookie validation—before reaching routes." – Next.js
Solutions and Mitigations
As of this writing, the Next.js developers have made fixes for this vulnerability available across a range of Next.js versions. Patches in updates 12.3.5, 13.5.9, 14.2.25 and 15.2.3 fix that flaw. Users of affected versions are advised to upgrade to these patched versions as soon as possible to reduce the risk associated with these vulnerabilities.
For situations in which patching isn’t possible, a second option is recommended. It’s very easy for users to completely block external requests. Just block all requests with the x-middleware-subrequest header from even hitting the Next.js application to stop this vulnerability from being exploited.
Recommendations for Users
If you have a site that relies on Next.js for middleware authorization — take action today! Please update your software to the latest patched versions or apply the suggested mitigation to avoid being compromised.