A critical vulnerability, CVE-2025-29927, has been discovered in Next.js middleware, affecting versions starting from 11.1.4.
The security researchers Yasser Allam (inzo_) and Rachid.A identified the flaw, which allows attackers to bypass middleware protections, including authorization and Content Security Policy (CSP), by manipulating the x-middleware-subrequest header.
The vulnerability has a critical severity score of 9.1/10.
Key Impacts:
It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
- Bypassing Middleware Protections: Attackers can gain unauthorized access to protected resources.
- Security Breaches: Exploitation can lead to various security breaches.
- Cache-Poisoning DoS Attacks: Specific configurations are susceptible to denial-of-service attacks.
Patches
- For Next.js 15.x, this issue is fixed in 15.2.3
- For Next.js 14.x, this issue is fixed in 14.2.25
- For Next.js 13.x, this issue is fixed in 13.5.9
- For Next.js 12.x, this issue is fixed in 12.3.5
- For Next.js 11.x, consult the below workaround.
Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.
Workaround
If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.
We recommend that all self-hosted Next.js deployments using next start and output: ‘standalone’ should update immediately.
Next.js version 15.2.3 has been released to address a security vulnerability (CVE-2025-29927). Additionally, backported patches are available.
