Full Report
NextJS is a super popular React framework with a ton of extra functionality. In fact, this website is built on top of it. The author of this post was reviewing NextJS and found a way to circumvent the middleware, which is commonly used for authentication. Within the framework, there is a check for recursive requests. For instance, if the middleware itself is making a request to the server. This is done by setting the x-middleware-request header with the path of the middleware being executed. For every piece of middleware it sees, a colon-delimited path is added. If the middleware has already been seen, then the code simply skips the middleware. As it turns out, it's possible to specify this header yourself! So, if you know the path of the middleware you want to skip then adding x-middleware-subrequest: my_path skips the check. If this is used for authentication/authorization, then it's a horrible vulnerability. The path is somewhat guessable and the header can be used as a polyglot as well. Initially, they found this in an old version of the package. Since that code had been removed, they assumed only older versions were affected. In reality, the code had been moved somewhere else. It's best to report vulnerabilities, even if they only affect older versions. You never know what you're missing about impact as a bug hunter. Instead of needing to specify the path, it's super simple: middleware or src/middleware. With the changing of the path, it actually makes it easier. Additionally, there is a now a recursive check with a maximum of 5. So, middleware: just needs to be repeated 5 times now. They used this exploit on a few bug bounty programs. One program was using the middleware as a rewrite rule. They knew this because of a header in the response. By using this vulnerability, they were able to visit the admin page. On another program, they used this as a cache poisoning DoS via forcing a 404 response by skipping the rewrite rules. Overall, an excellent write up on the discovery and exploitation of a NextJS vulnerability. I learned a ton about the framework, exploitation, and proper disclosure from this. Great work!
Analysis Summary
# Vulnerability: Next.js Middleware Authorization Bypass
## CVE Details
- **CVE ID**: CVE-2025-29927
- **CVSS Score**: Not specifically listed (estimated High/Critical based on context)
- **CWE**: CWE-287 (Improper Authentication) / CWE-639 (Access Control Bypass)
## Affected Systems
- **Products**: Next.js Framework
- **Versions**: All versions prior to **15.2.3** (including legacy versions back to 12.0.0).
- **Configurations**: Applications utilizing Next.js **Middleware** for sensitive operations such as authentication, authorization, or path rewriting.
## Vulnerability Description
The flaw resides in how Next.js identifies and prevents recursive middleware loops. To prevent an infinite loop (where a middleware request triggers itself), Next.js uses the internal header `x-middleware-subrequest`.
The framework checks this header for a colon-delimited list of middleware execution paths. If the current middleware's name is found within this header, the framework assumes it has already executed for that request cycle and skips it. Researchers discovered that this header can be **manually injected** by an external attacker. By providing the expected path name in the header, an attacker can trick the server into skipping the security logic entirely.
## Exploitation
- **Status**: PoC available; exploited in the wild (bug bounty engagements).
- **Complexity**: Low.
- **Attack Vector**: Network (Remote).
An attacker can bypass middleware by providing the `x-middleware-subrequest` header. In modern versions, the target path is typically `middleware` or `src/middleware`. Due to a recursive check limit, repeating the value five times (e.g., `middleware:middleware:middleware:middleware:middleware`) ensures the skip logic is triggered.
## Impact
- **Confidentiality**: High (Bypass of authentication/authorization to reach internal/admin pages).
- **Integrity**: High (Can bypass rewrite rules or security headers like CSP).
- **Availability**: High (Potential for Cache-Poisoning DoS by forcing 404 responses or incorrect cached states).
## Remediation
### Patches
- **Next.js 15.2.3** (includes the primary fix and backports for supported versions).
- Users should update to the latest stable release immediately.
### Workarounds
- Implement authorization checks within the actual Page or API Route logic as a secondary defense layer (Defense in Depth), rather than relying solely on Middleware.
## Detection
- **Indicators of Compromise**: Incoming HTTP requests containing the `x-middleware-subrequest` header from external/untrusted clients.
- **Detection Methods**: Monitor WAF or application logs for the presence of internal Next.js headers (specifically `x-middleware-subrequest`) in edge traffic.
## References
- Vendor Advisory: [https://github.com/vercel/next.js/security/advisories]
- Original Research: [https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware]
- Next.js GitHub: [https://github.com/vercel/next.js]