CVE-2025-29927
📋 TL;DR
This CVE describes an authorization bypass vulnerability in Next.js middleware. Attackers can bypass authorization checks by sending requests with the x-middleware-subrequest header, potentially accessing protected resources. This affects Next.js applications using middleware for authorization in versions 1.11.4 through 12.3.4, 13.5.8 and earlier, 14.2.24 and earlier, and 15.2.2 and earlier.
💻 Affected Systems
- Next.js
📦 What is this software?
Next.js by Vercel
Next.js by Vercel
Next.js by Vercel
Next.js by Vercel
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of protected application functionality, unauthorized access to sensitive data, privilege escalation, and potential data exfiltration.
Likely Case
Unauthorized access to protected routes and resources that should require authentication, potentially exposing user data or administrative functions.
If Mitigated
Limited impact with proper network controls and header filtering, though some risk remains until patching.
🎯 Exploit Status
Exploitation requires sending HTTP requests with the x-middleware-subrequest header, which is straightforward for attackers with network access to the application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.3.5, 13.5.9, 14.2.25, 15.2.3
Vendor Advisory: https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
Restart Required: Yes
Instructions:
1. Identify your Next.js version. 2. Update to a patched version using npm: npm update next@latest or yarn upgrade next@latest. 3. Restart your Next.js application. 4. Test authorization functionality.
🔧 Temporary Workarounds
Block x-middleware-subrequest header at network level
allConfigure web application firewall or reverse proxy to drop requests containing the x-middleware-subrequest header from external sources.
# Example nginx configuration:
location / {
if ($http_x_middleware_subrequest) {
return 403;
}
# ... rest of configuration
}
🧯 If You Can't Patch
- Implement network-level filtering to block requests with x-middleware-subrequest header from untrusted sources.
- Move authorization logic out of middleware to server-side API routes or other secure locations.
🔍 How to Verify
Check if Vulnerable:
Check package.json for Next.js version. If version is between 1.11.4 and 12.3.4, or 13.5.8 or earlier, or 14.2.24 or earlier, or 15.2.2 or earlier, and the application uses middleware for authorization, it is vulnerable.Check Version:
npm list next | grep next or check package.json fileVerify Fix Applied:
After updating, verify the version is 12.3.5+, 13.5.9+, 14.2.25+, or 15.2.3+. Test authorization endpoints with x-middleware-subrequest header to ensure they are properly blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with x-middleware-subrequest header in access logs
- Unauthorized access attempts to protected routes
Network Indicators:
- Incoming HTTP requests containing x-middleware-subrequest header
- Unusual access patterns to protected endpoints
SIEM Query:
http.headers:x-middleware-subrequest AND (http.status:200 OR http.status:302) AND NOT user_agent:"internal"🔗 References
- https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2
- https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48
- https://github.com/vercel/next.js/releases/tag/v12.3.5
- https://github.com/vercel/next.js/releases/tag/v13.5.9
- https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
- http://www.openwall.com/lists/oss-security/2025/03/23/3
- http://www.openwall.com/lists/oss-security/2025/03/23/4
- https://security.netapp.com/advisory/ntap-20250328-0002/
