A significant security flaw has been identified in the Next.js React framework, which may allow attackers to circumvent authorization checks under specific conditions. This vulnerability, designated as CVE-2025-29927, has been assigned a high CVSS score of 9.1, indicating its severity.

Understanding the Vulnerability

The issue arises from the use of an internal header, x-middleware-subrequest, in Next.js. This header is intended to prevent recursive requests that could lead to infinite loops. However, it was discovered that it could be exploited to bypass middleware execution, allowing requests to evade crucial checks, such as authorization cookie validation, before accessing routes.

Technical Details and Impact

Security researcher Rachid Allam, known as zhero and cold-try, uncovered this flaw and has shared detailed technical insights. The vulnerability permits attackers to bypass authorization checks within Next.js middleware, potentially granting unauthorized access to sensitive web pages intended for administrators or users with high privileges.

  • Key Point 1: The vulnerability affects websites using middleware for user authorization without additional checks.
  • Key Point 2: Attackers could exploit this to access restricted resources, such as admin pages.

Mitigation and Recommendations

The vulnerability has been addressed in Next.js versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. Users are strongly advised to update to these versions to mitigate the risk. If updating is not feasible, it is recommended to block external user requests containing the x-middleware-subrequest header from reaching the Next.js application.

The link has been copied!