What is the critical security vulnerability discovered in Next.js?

A critical security vulnerability (CVE-2025-29927) with a CVSS score of 9.1 has been discovered in Next.js that enables attackers to completely bypass security middleware in affected Next.js applications with a simple HTTP header manipulation.

How can attackers exploit this vulnerability?

The exploit is surprisingly straightforward - attackers can bypass all middleware security checks by adding a specific HTTP header to their requests, such as 'x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware'. This allows them to access protected areas like admin panels and private dashboards without authentication.

Which versions of Next.js are affected?

Affected versions include Next.js versions 11.1.4 through 13.5.6, Next.js versions 14.0 through 14.2.24, and Next.js versions 15.0 through 15.2.2.

Which versions of Next.js have been patched?

Patched versions include Next.js version 15.2.3 and later, and Next.js version 14.2.25 and later. Additionally, Next.js deployments hosted on Vercel are automatically protected.

Does the exploit method vary by project configuration?

Yes, the exact header value needed for exploitation varies by project configuration: Pages Router (versions 11.1.4-12.1.x): x-middleware-subrequest: pages/_middleware; App Router (versions 12.2.x-13.x): x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware; App Router with /src folder (versions 14.x-15.2.2): x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware.

What should Next.js users do to protect their applications?

Users are advised to update Next.js immediately and upgrade to version 15.2.3+ or 14.2.25+. As a temporary workaround for those who cannot update immediately, blocking the HTTP header x-middleware-subrequest can help mitigate the vulnerability.

Are Next.js deployments on Vercel affected?

No, Next.js deployments hosted on Vercel are automatically protected from this vulnerability.

Advisory

Critical security vulnerability reported in Next.js framework

Q: What causes this vulnerability?

The vulnerability stems from a mechanism designed to prevent infinite middleware loops. Next.js implements a counter that tracks how many times middleware has executed using the x-middleware-subrequest header. If the count reaches the maximum threshold (5 by default), Next.js skips the middleware entirely. The critical flaw is that anyone can manipulate this header, effectively instructing Next.js to skip all security checks.

published: March 24, 2025

Take action: If you are running Next.js backend application, this is an URGENT patch. Attackers can bypass your security middleware controls with a trivial attack. Either block all requests with the x-middleware-subrequest header from a browser to server, or patch IMMEDIATELY. Ideally both.

Learn More

A critical security vulnerability has been discovered in Next.js, a widely used React frameworks that enables attackers to completely bypass security middleware in affected Next.js applications with a simple HTTP header manipulation.

This flaw, tracked as CVE-2025-29927 (CVSS score 9.1) stems from a mechanism designed to prevent infinite middleware loops. Next.js implements a counter that tracks how many times middleware has executed using the x-middleware-subrequest header. If the count reaches the maximum threshold (5 by default), Next.js skips the middleware entirely. The critical flaw is that anyone can manipulate this header, effectively instructing Next.js to skip all security checks.

The exploit is surprisingly straightforward - attackers can bypass all middleware security checks by adding a specific HTTP header to their requests:

x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

Attackers can access protected areas like admin panels and private dashboards without authentication. Security headers set by middleware that prevent cross-site scripting can be circumvented

Affected versions

Next.js versions 11.1.4 through 13.5.6
Next.js versions 14.0 through 14.2.24
Next.js versions 15.0 through 15.2.2

Patched versions

Next.js version 15.2.3 and later
Next.js version 14.2.25 and later
Next.js deployments hosted on Vercel are automatically protected

The exact header value needed for exploitation varies by project configuration:

Pages Router (versions 11.1.4-12.1.x): x-middleware-subrequest: pages/_middleware
App Router (versions 12.2.x-13.x): x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
App Router with /src folder (versions 14.x-15.2.2): x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware

Users are advised to update Next.js Immediately and upgrade to version 15.2.3+ or 14.2.25+. As a temporary workaround, block HTTP header x-middleware-subrequest,

Critical security vulnerability reported in Next.js framework

Read More
Cursor IDE vulnerability enables persistent code execution through …
Library hallucinations in AI generated code creates risk …
Critical vulnerability in GitHub Enterprise Server enables access …
Critical flaws reported in CocoaPods dependency manager for …
GitLab fixes critical arbitrary file write flaw