• Vulnerable U
  • Posts
  • Critical Next.js CVE-2025-29927 Flaw Disclosed

Critical Next.js CVE-2025-29927 Flaw Disclosed

Author

Newsroom
March 24, 2025

There is a critical vulnerability in many versions of the Next.js framework that can allow an attacker to bypass the authorization function in some situations and gain access to target applications. The maintainers of the project have released fixed versions address the flaw.

Why It Matters: Next.js is a very popular React framework used for building web applications. One of the components of the framework is middleware that serves a number of functions, including authentication and authorization. The vulnerability is in the middleware component and any app that uses the component could potentially be vulnerable to this bug. An attacker who is able to exploit the vulnerability could take a few different actions, including bypassing CSP. 

Key Details

  • Affected versions: 12.x, 13.x, 14.x, and 15.x

  • Fixed versions: 12.3.5, 13.5.9, 14.2.25, and 15.2.3

  • “Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops. The security report showed it was possible to skip running Middleware, which could allow requests to skip critical checks—such as authorization cookie validation—before reaching routes,” the advisory says. 

  • “When a next.js application uses a middleware, the runMiddleware function is used, the latter - beyond its main utility - retrieves the value of the x-middleware-subrequest header and uses it to know if the middleware should be applied or not. The header value is split to create a list using the column character (:) as a separator and then checks if this list contains the middlewareInfo.name value. This means that if we add the x-middleware-subrequest header with the correct value to our request, the middleware - whatever its purpose - will be completely ignored, and the request will be forwarded via NextResponse.next() and will complete its journey to its original destination without the middleware having any impact/influence on it,” according to the researchers who discovered the flaw. 

  • The vulnerability only affects self-hosted Next.js apps that use the middleware function

There are no public reports of exploitation of this bug yet, but given the popularity of the Next.js framework and the fact that the details of the flaw and exploit information are easily available, organizations should update to fixed versions as soon as they can.