A critical vulnerability in the Next.js web development framework could let hackers bypass authorization checks. Tracked as CVE-2025-29927, the flaw allows attackers to send requests directly to destination paths, skipping crucial security protocols.
Next.js, a widely-used React framework with over 9 million weekly npm downloads, is favored by developers for constructing full-stack web applications. Companies like TikTok, Twitch, Hulu, Netflix, Uber, and Nike use the framework for their sites and apps.
Middleware components in Next.js handle tasks like authentication, authorization, logging, and redirecting users before a request reaches the application routing system. To avoid infinite loops, Next.js employs an ‘x-middleware-subrequest’ header, which determines whether middleware functions should be applied.
The ‘runMiddleware’ function checks for this header. If detected with a specific value, it bypasses the entire middleware execution, forwarding the request directly to its destination. An attacker can exploit this by manually sending a request with the correct header value.
Researchers Allam Rachid and Allam Yasser (inzo_), who identified the vulnerability, stated that “the header and its value act as a universal key allowing rules to be overridden.”
The security issue affects all Next.js versions before 15.2.3, 14.2.25, 13.5.9, and 12.3.5. Users should upgrade immediately, as technical details for exploiting the vulnerability are now public.
Next.js’ security bulletin specifies that CVE-2025-29927 only affects self-hosted versions using ‘next start’ with ‘output: standalone.’ Apps hosted on Vercel and Netlify, or those deployed as static exports, are not impacted.
Environments where middleware is utilized for authorization or security checks without subsequent validation in the application is at risk.
If patching is not immediately feasible, the suggested course of action is to block any external user requests which include the ‘x-middleware-subrequest’ header.
