Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927)
A critical vulnerability (CVE-2025-29927) in the open source Next.js framework can be exploited by attackers to bypass authorization checks and gain unauthorized access to web pages they should no have access to (e.g., the web app’s admin panel).
Vercel – the Cloud platform-as-a-Service company that develops the popular framework – has released security updates fixing it, and has advised users to upgrade as soon as possible.
What is Next.js and how does CVE-2025-29927 manifest?
Next.js is a full-stack framework that makes building and shipping web applications easier, by helping with page rendering, routing, performance and SEO optimization, etc.
Next.js is built on React, a JavaScript library that is used for building web user interfaces out of individual, reusable components, and together they are used to quickly build full-stack, production-ready applications.
Next.js uses its own middleware to processes requests, protect routes, add security headers to responses, and handle things like user authentication and user redirection (e.g., based on geolocation, their session / authorization cookies, etc.).
CVE-2025-29927 allows attackers to bypass middleware security controls by sending a request with a specially crafted x-middleware-subrequest header to the target application.
“If we add the x-middleware-subrequest header with the correct value to our request, the middleware – whatever its purpose – will be completely ignored, and the request will be forwarded via NextResponse.next() and will complete its journey to its original destination without the middleware having any impact/influence on it. The header and its value act as a universal key allowing rules to be overridden,” explained Rachid Allam and Yasser Allam, the security researchers who discovered the vulnerability.
They reported the vulnerability privately to Vercel, whose developers pushed out temporary patches on March 14, 2025, and then started releasing new, fixed versions of the various branches of the Next.js framework a few days later.
What to do?
Next.js is widely used by enterprises, including the likes of Twitch, Spotify, Binance, Hulu, TikTok, OpenAI, and many others.
RunZero CEO HD Moore (of Metasploit fame) pointed out that the Shodan search engine currenly shows over 300,000 services with the `X-Powered-By: Next.js` header alone.
All versions of Next.js were found to be vulnerable to CVE-2025-29927. The issue has been fixed in versions 15.2.3, 14.2.25, 13.5.9 and 12.3.5.
According to the Next.js maintainers, the vulnerability affects self-hosted Next.js applications using middleware, especially if they rely only on the middleware for authentication or security checks. Applications hosted on the Vercel and Netlify cloud platforms are not affected, and neither are applications deployed as static exports (because middleware is not executed).
“If patching to a safe version is infeasible, it is recommended that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application,” the framework maintainers advised.
ProjectDiscovery has provided advice on the different ways this mitigation can be implemented.
Cloudflare has made available a rule that blocks such requests for its managed WAF (web application firewall) customers, and has advised others on how to create a custom one.