CVE-2025-30218
📋 TL;DR
This Next.js vulnerability allows the x-middleware-subrequest-id header to be unintentionally leaked to third-party servers during fetch requests from middleware. Any Next.js application using middleware that makes fetch requests to external domains is affected. This could expose internal request identifiers to untrusted parties.
💻 Affected Systems
- Next.js
📦 What is this software?
Next.js by Vercel
Next.js by Vercel
Next.js by Vercel
Next.js by Vercel
⚠️ Risk & Real-World Impact
Worst Case
Attackers could correlate leaked subrequest IDs with other timing or behavioral data to track user sessions, infer internal infrastructure details, or potentially chain with other vulnerabilities.
Likely Case
Information disclosure where third-party services receive internal Next.js request identifiers, potentially enabling tracking or correlation of user activities across services.
If Mitigated
Minimal impact if no sensitive information can be derived from the subrequest ID alone and third-party services are trusted.
🎯 Exploit Status
Exploitation requires the application to make fetch requests from middleware to external domains, which is a common pattern.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.3.6, 13.5.10, 14.2.26, or 15.2.4 depending on your major version
Vendor Advisory: https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf
Restart Required: Yes
Instructions:
1. Identify your Next.js version. 2. Update to the patched version matching your major version: npm update next@^12.3.6 or npm update next@^13.5.10 or npm update next@^14.2.26 or npm update next@^15.2.4. 3. Restart your application.
🔧 Temporary Workarounds
Middleware fetch request filtering
allModify middleware to strip x-middleware-subrequest-id header before making fetch requests to external domains
// In your middleware file, modify fetch calls:
const response = await fetch(url, {
headers: {
...headers,
'x-middleware-subrequest-id': undefined
}
});
🧯 If You Can't Patch
- Review all middleware fetch requests and ensure they only go to trusted internal endpoints
- Implement network filtering to block middleware-initiated requests to external domains
🔍 How to Verify
Check if Vulnerable:
Check if your Next.js version is below the patched versions and if your middleware makes fetch requests to external domains.Check Version:
npm list next | grep nextVerify Fix Applied:
After updating, verify the version is at or above the patched version and test that x-middleware-subrequest-id is not sent to external domains.📡 Detection & Monitoring
Log Indicators:
- Outbound requests from middleware containing x-middleware-subrequest-id header to external domains
Network Indicators:
- HTTP requests from your Next.js application to third-party domains containing x-middleware-subrequest-id header
SIEM Query:
http.headers:x-middleware-subrequest-id AND destination_domain:external