Next.js CVE-2025-29927 Critical Middleware Authorization Bypass

Figure 1: Visual representation of the BeyondTrust vulnerability chain

Security researchers disclosed CVE-2025-29927 on March 21, 2025, a critical vulnerability affecting the Next.js web framework that allows attackers to bypass middleware-based authentication and authorization controls. The vulnerability received a CVSS score of 9.1, placing it in the critical severity category.

The flaw exists in how Next.js handles an internal header called x-middleware-subrequest, which the framework uses to prevent infinite middleware recursion loops. Security researcher Rachid Allam, operating under the handle "zhero," discovered that external attackers can manipulate this header to cause the framework to skip middleware execution entirely.

Organizations running Next.js applications that rely on middleware for authentication, authorization, content security policy enforcement, or geographic restrictions face immediate risk. The vulnerability affects Next.js versions from 11.1.4 through unpatched releases of versions 14.x and 15.x.

Vercel, the company behind Next.js, released patched versions on March 21, 2025. Organizations unable to immediately upgrade can implement workarounds at the web server or proxy level by stripping the x-middleware-subrequest header from incoming requests.

The disclosure follows responsible disclosure practices, with patches available at the time of public announcement. At the time of reporting, no confirmed exploitation in the wild had been publicly documented, though the simplicity of the attack vector raises concerns about rapid weaponization.

On March 21, 2025, Vercel published GitHub Security Advisory GHSA-f82v-jwr5-mffw detailing a critical authorization bypass vulnerability in Next.js middleware. The advisory assigned CVE-2025-29927 to the vulnerability and rated it with a CVSS vector of 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, resulting in a 9.1 critical severity score.

ZeroPath Security Research published a detailed technical analysis on the same day, crediting researcher Rachid Allam with the discovery. According to the ZeroPath analysis, the vulnerability stems from an internal mechanism designed to prevent middleware from entering infinite recursion loops.

The GitHub advisory confirmed that patched versions were released simultaneously with the disclosure. Vercel provided fixes for multiple version branches to accommodate organizations running different Next.js releases.

The vulnerability disclosure followed coordinated disclosure practices. Vercel received advance notification and prepared patches before the public announcement. The company did not disclose the specific timeline between initial report and public disclosure.

Figure 2: How the authentication bypass vulnerability works

According to the GitHub Security Advisory, the vulnerability allows attackers to bypass authorization checks implemented in Next.js middleware. The advisory states that the attack requires no authentication and can be executed remotely with low complexity.

The CVSS vector breakdown indicates:

• Attack Vector: Network (remotely exploitable)
• Attack Complexity: Low (no special conditions required)
• Privileges Required: None (unauthenticated attack)
• User Interaction: None (no victim action needed)
• Confidentiality Impact: High
• Integrity Impact: High
• Availability Impact: None

ZeroPath's technical analysis explains that Next.js middleware uses the x-middleware-subrequest header internally to track recursion depth. In versions prior to 12.2, the middleware checked if this header's value contained the middleware file path. If present, middleware execution was skipped.

In more recent versions, according to ZeroPath, the framework implements a MAX_RECURSION_DEPTH check set to 5. When the middleware path appears five or more times in the header value, separated by colons, the middleware execution is bypassed.

The critical flaw, as documented by ZeroPath, is that the framework accepts and processes this header from any incoming request without validating whether the request originated internally or externally.

The coordinated disclosure process allowed organizations to receive patches before public exploitation details became widely available. Vercel's release of patches across multiple version branches provides upgrade paths for organizations running various Next.js versions.

The vulnerability disclosure includes clear mitigation guidance for organizations unable to immediately upgrade. Web server and proxy-level header stripping provides an effective workaround that does not require application code changes.

Security teams can use this disclosure to audit their Next.js deployments and identify applications relying solely on middleware for security controls. The incident provides an opportunity to implement defense-in-depth strategies with secondary authentication checks at the route handler level.

The detailed technical documentation from ZeroPath enables security professionals to understand the vulnerability mechanism and develop appropriate detection strategies for their environments.

Figure 3: Privilege escalation from user to SYSTEM level

The vulnerability affects a wide range of Next.js versions spanning multiple years of releases. Organizations running older versions may face challenges upgrading due to breaking changes between major versions.

Applications relying exclusively on middleware for authentication face immediate risk. According to ZeroPath's analysis, the attack can bypass authentication checks, authorization controls, content security policy headers, and geographic restrictions implemented in middleware.

The attack's low complexity and lack of authentication requirements make it accessible to unsophisticated attackers. The exploit requires only the ability to craft HTTP requests with specific header values.

ZeroPath's analysis notes that under certain configurations, the bypass could enable cache poisoning attacks. Bypassing middleware rewrites might cause caching of error responses, leading to denial of service conditions.

Organizations using web application firewalls may need to update rules to detect and block requests containing the x-middleware-subrequest header from external sources.

Next.js middleware functions as an interceptor layer that executes before requests reach their destination routes. Developers commonly use middleware to implement authentication verification, authorization checks, request path rewriting, response header injection, and geographic content restrictions.

The middleware execution is managed by the runMiddleware function within the Next.js framework. To prevent scenarios where middleware might call itself indefinitely, the framework implements a recursion prevention mechanism using the x-middleware-subrequest header.

In the intended design, when Next.js internally makes a subrequest that would trigger middleware, it includes this header to signal that the request is part of an internal chain. The middleware checks this header and, based on its value, decides whether to execute or skip.

For older versions prior to 12.2, the check was straightforward: if the header value contained the middleware file path, execution was skipped. Modern versions implement a counter-based approach, tracking how many times the middleware path appears in the header value. When this count reaches five, the framework assumes a recursion scenario and skips execution.

Technical context (optional): The vulnerability exists because the header validation does not distinguish between internally-generated subrequests and externally-crafted requests. An attacker can include the header in their request with a value that triggers the skip condition, causing the middleware to not execute for their malicious request.

Next.js ranks among the most widely deployed React frameworks, powering applications across enterprises, startups, and individual developers. The framework's middleware feature has become a common pattern for implementing security controls, making this vulnerability's impact potentially widespread.

The vulnerability highlights risks associated with relying on framework-level security features without defense-in-depth strategies. Applications that implement authentication only at the middleware layer, without secondary checks in route handlers or API endpoints, face complete authentication bypass.

The incident demonstrates how internal framework mechanisms designed for legitimate purposes can become attack vectors when exposed to external input. The recursion prevention feature served a valid engineering purpose but created an unintended security gap.

Framework security vulnerabilities affect the entire ecosystem of applications built on that framework. Unlike application-specific bugs that affect single deployments, framework vulnerabilities can impact thousands of applications simultaneously.

The disclosure may prompt security reviews of similar internal header mechanisms in other web frameworks. The pattern of using headers for internal state tracking exists in multiple frameworks and platforms.

Confirmed:

• CVE-2025-29927 affects Next.js middleware authorization
• CVSS score is 9.1 (Critical)
• Vulnerability exists in versions from 11.1.4 through unpatched 14.x and 15.x releases
• Patched versions are available
• The attack vector involves the x-middleware-subrequest header
• No authentication is required to exploit the vulnerability
• Vercel released patches on March 21, 2025

Remains unclear:

• The exact timeline between initial discovery and disclosure
• Whether any exploitation occurred before the public disclosure
• The total number of affected applications in production
• Whether any major services experienced breaches related to this vulnerability
• The specific internal discussions that led to the original design decision

At the time of reporting, Vercel had not published information about any known exploitation in the wild.

Organizations should monitor their Next.js deployments for upgrade status and verify that patches have been applied. Security teams should review web server and proxy configurations to ensure the x-middleware-subrequest header is being stripped from external requests as a defense-in-depth measure.

The security community will likely publish additional analysis and potential detection signatures in the coming days. Web application firewall vendors may release updated rule sets to detect exploitation attempts.

Organizations should audit applications to identify those relying solely on middleware for security controls. Implementing secondary authentication checks at the route handler level provides protection against similar vulnerabilities.

Vercel may publish additional guidance or post-incident analysis as the situation develops. The company's security advisories page and Next.js release notes warrant monitoring for updates.

Security researchers may discover related vulnerabilities in the middleware implementation or in similar mechanisms in other frameworks. The disclosure has drawn attention to internal header handling as a potential attack surface.

1. GitHub Security Advisory GHSA-f82v-jwr5-mffw, Vercel, March 21, 2025. https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw

2. "Next.js Middleware Exploit: CVE-2025-29927 Authorization Bypass," ZeroPath Security Research, March 21, 2025. https://zeropath.com/blog/nextjs-middleware-cve-2025-29927-auth-bypass

3. "Critical Next.js Vulnerability Allows Authorization Bypass," The Hacker News, March 2025. https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html