Imagine building a robust security system for your web application only to discover that a simple, overlooked header allows attackers to bypass all your defenses. This is precisely the scenario developers faced with the discovery of CVE-2025-29927, a critical vulnerability in Next.js.
This vulnerability allows attackers to bypass authorization checks implemented in Next.js middleware by manipulating the x-middleware-subrequest header. By crafting requests with this header, attackers can gain unauthorized access to protected routes, essentially making middleware-based authorization checks ineffective.
What is CVE-2025-29927?
This CVE affects Next.js versions from 1.11.4 up to 12.3.5, 13.5.9, 14.2.25, and 15.2.3. When a request includes the x-middleware-subrequest header, and authorization logic is implemented within middleware, the application may skip the check entirely, allowing unauthorized access to protected content or actions.
What is Next.js Middleware?
Next.js Middleware is a feature that allows developers to execute code before a request is completed, enabling the modification of requests and responses based on specific conditions. This capability is particularly useful for implementing functionalities such as authentication, redirects, and header manipulation.
Middleware is defined in a middleware.ts (or .js) file located at the root of your project. This file exports a function that receives a NextRequest object and returns a NextResponse object.
How Next.js CVE-2025-29927 Exploit Works
The x-middleware-subrequest header is used internally by Next.js to track middleware subrequests and prevent infinite loops. If the middleware has been invoked too many times (five, by default), Next.js skips executing it entirely. However, attackers can manipulate the x-middleware-subrequest header in their HTTP requests to deceive Next.js into treating them as internal subrequests, thereby bypassing middleware execution.
For example, an attacker can send a request with the following header:
x-middleware-subrequest:
middleware:middleware:middleware:middleware:middlewareThis header value exceeds the default recursion limit, causing Next.js to skip the middleware checks entirely. As a result, unauthorized users may gain access to protected routes without proper authentication.
Why Does This Matter?
Middleware is a common function in modern web applications, and many teams rely on it for security control. It’s often used as the first (and sometimes only) line of defense for protecting routes, enforcing authentication, or shaping request behavior.
If those controls can be bypassed easily, it puts sensitive data and critical business logic at risk. If unauthorized users gain access to private data or user accounts due to a misconfigured or vulnerable middleware setup, the organization could be held responsible for a preventable security breach.
For end users, the impact is direct and personal; their private data, accounts, or actions could be exposed or manipulated without their knowledge or consent. Trust in an application can be severely damaged, and users may not return after a security lapse—especially if they’re not informed promptly or transparently.
In essence, middleware vulnerabilities like CVE-2025-29927 don’t just threaten your backend—they threaten your users’ privacy, your app’s reliability, and your team’s credibility.
How to Protect Your App
- Upgrade to a safe version
Patch the vulnerability by upgrading to one of the fixed versions: 12.3.5, 13.5.9, 14.2.25, or 15.2.3 of Next.js. - Block malicious headers
If upgrading isn’t an option, configure your web server or proxy to block requests containing thex-middleware-subrequestheader, which is central to this exploit. - Add another security layer
Avoid relying solely on middleware for critical security checks. Implement additional validation within your application logic. - Monitor for suspicious activity
Use application monitoring tools like OX, Datadog, Sentry, or New Relic to detect and alert on unexpected headers (likex-middleware-subrequest). Real-time monitoring can help you respond to exploit attempts before any damage is done. - Integrate header-based testing into CI/CD
Update your security testing tools (e.g., OWASP ZAP, Burp Suite) to include header fuzzing scenarios. This ensures vulnerabilities like this are caught during development, not in production. - Educate your team
Raise awareness internally. Many developers assume middleware is “secure enough.” A quick sync or lunch-and-learn explaining this CVE can go a long way in preventing similar issues in the future. - Use a WAF to block risky headers
Leverage a Web Application Firewall (e.g., Cloudflare, AWS WAF, or Azure Front Door) to block or sanitize dangerous headers before they reach your app. This adds another protective layer—even before a patch is applied. - Add regression tests
Once patched, write a security regression test that attempts to exploit the issue (e.g., sending a spoofed header). This ensures the vulnerability doesn’t resurface in future code changes. - Layer in a strong content security policy (CSP)
While not directly related to this CVE, enforcing a strict CSP helps minimize the impact of unauthorized access, especially when used with route-based protections.
How OX can help
At OX Security, we go beyond simply identifying known vulnerabilities like CVE-2025-29927 —we help you understand whether they are actually exploitable in your codebase.
On our Issues page, you can see if your code includes any known CVEs. For some vulnerabilities, OX also indicates whether the vulnerability is truly exploitable in your codebase, along with supporting evidence from your codebase and an explanation.
Here’s how an issue for CVE-2025-29927 would appear in OX for this vulnerable code:
Real-world impact: How often is CVE-2025-29927 actually exploitable
While discovering a CVE is important, understanding its real-world impact is what truly matters. Not every instance of a vulnerability in your codebase is necessarily exploitable — and distinguishing between the two is key for prioritizing fixes.
Using real data collected from OX Security customers, we looked at how often CVE-2025-29927 appears in codebases and then analyzed the percentage of cases in which it is actually exploitable.
The following chart shows the split between exploitable and non-exploitable instances of this vulnerability in real-world environments.
In summary, CVE-2025-29927 exposes a critical flaw in how Next.js middleware can be bypassed by manipulating the x-middleware-subrequest header, particularly when authentication logic is implemented solely in middleware. When this header includes five or more repetitions, Next.js assumes the middleware was already executed too many times and skips it, potentially allowing unauthorized access to protected routes.
The CVE only becomes exploitable if three conditions are met:
The application uses a vulnerable version of Next.js
Authentication or access control is handled in middleware.
The attacker can inject or manipulate the x-middleware-subrequest header.
Based on our data, while this CVE does appear in some codebases, it was exploitable in only 17.7% of the cases we observed. In the vast majority of instances, the conditions for exploitation simply weren’t met. This insight is critical—it allows security teams to differentiate between true risks and theoretical risk, prioritize vulnerability remediation effectively, and focus on issues that would cause negative impacts if compromised.
The OX Security Unified AppSec Platform provides this clarity by identifying known issues and helping AppSec teams determine exploitability in any given environment. This advanced analysis enables faster, smarter, and more confident security decisions with verifiable evidence.
)
