A critical vulnerability in Next.js allows attackers to bypass middleware-based authorization checks in self-hosted applications using next start with output: standalone. Tracked as CVE-2025-29927, the flaw has a CVSS v3.1 score of 9.1 and impacts Next.js versions from 11.1.4 up to 13.5.6, 14.x before 14.2.25, and 15.x before 15.2.3.
Affected Configurations
- Vulnerable: Self-hosted deployments using next start with output: standalone.
- Not affected: Apps hosted on Vercel, Netlify, or exported statically.
Vulnerability Details
The vulnerability is caused by improper handling of the internal header x-middleware-subrequest. This header is meant to prevent recursive middleware loops. When this header is present and contains specific values, the middleware is skipped entirely.
Attackers can exploit this behavior by sending a crafted x-middleware-subrequest header, bypassing middleware checks such as:
- Session validation
- Authorization
- Security headers (e.g., CSP)
- Redirects and rewrites
Affected routes include any that rely solely on middleware for access control.
Exploitation Method
An attacker adds the header to an HTTP request:
X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middlewareThis causes the middleware to be skipped and grants access to protected endpoints, such as /dashboard/admin.
The exact value of the header depends on project structure and Next.js version. For example:
- Pre-12.2: x-middleware-subrequest: pages/_middleware
- 12.2+: x-middleware-subrequest: middleware or src/middleware
- 13.2+: Recursion checks exist but do not block this exploit
Detection and Scanning
A Nuclei template is available to scan for this issue. It works by:
- Detecting _next/static to confirm a Next.js app.
- Extracting internal endpoints from HTML.
- Sending requests with and without the malicious header.
- Comparing response codes to detect middleware bypass.
Template: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-29927.yaml
Mitigation
Recommended fix:
Upgrade to:
- 15.2.3 (for 15.x)
- 14.2.25 (for 14.x)
- 13.5.9, 12.3.5 (for earlier branches)
Temporary workarounds
For unpatched systems:
- Strip x-middleware-subrequest at the edge (e.g., Cloudflare, AWS ELB).
- Drop or unset the header in web servers:
Nginx:
proxy_set_header x-middleware-subrequest "";Apache:
RequestHeader unset x-middleware-subrequestExpress middleware:
app.use((req, res, next) => {
delete req.headers['x-middleware-subrequest'];
next();
});Risk Summary
- CVSS: 9.1 (Critical)
- CWE: 287 – Improper Authentication
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
This vulnerability enables authentication and authorization bypass with minimal effort and no special tools. While WAF vendors like Cloudflare have released rules, these should not be solely relied on.
Disclosure Timeline
- Mar 21, 2025: Advisory published
- Mar 23, 2025: PoC released
- Mar 23, 2025: Nuclei detection template released
Conclusion
Self-hosted Next.js apps relying on middleware for access control are exposed to authorization bypass due to CVE-2025-29927. Organizations should upgrade to the patched versions immediately or apply header-stripping mitigations at the server or edge level. Detection tools like Nuclei should be used to identify vulnerable instances and validate protections.