AI, Exploits, and Third-Party Risk: What’s Really Happening Across the S&P 500?
Register Now
Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Risks and Vulnerabilities
Critical Middleware Vulnerability in Next.js (CVE-2025-29927)
BlogBreachesResourcesNews
Risks and Vulnerabilities

Critical Middleware Vulnerability in Next.js (CVE-2025-29927)

Greg Pollock
Greg Pollock
updated Mar 28, 2025
updated
Download the PDF guide
Free trial
Contents

Researchers have discovered a critical security vulnerability in Next.js that allows attackers to easily bypass middleware authorization measures. The vulnerability, designated CVE-2025-29927, was discovered by Rachid Allam and Yasser Allam and since assigned a base CVSS score of 9.1. By skipping checks for authorization cookies, attackers can potentially gain access to restricted areas of applications like admin tools and dashboards. Because of the ease of exploitation and high impact, this vulnerability poses a significant risk to affected systems. ​

A Comprehensive Guide to Preventing Supply Chain Attacks

Organizations need detailed visibility into their vendor ecosystems to identify and remediate supply chain vulnerabilities before cybercriminals exploit them. Learn more.

Download Now

What is CVE-2025-29927?

CVE-2025-29927 is a critical vulnerability in Next.js, a popular React-based web framework, that was publicly disclosed in March 2025. It affects self-hosted applications running versions 11.1.4 through 15.2.2 using the next start command with output: 'standalone'.

The vulnerability allows attackers to bypass authorization middleware by injecting a specially crafted x-middleware-subrequest HTTP header, granting unauthorized access to protected resources. With a CVSS score of 9.1, this flaw poses a serious security risk, particularly for applications that rely solely on middleware for access control without implementing additional server-side authorization checks. While deployments on platforms like Vercel or using static exports are not affected, self-hosted instances must be promptly updated or reconfigured to mitigate potential exploitation.

Affected Versions and Fixes

CVE-2025-29927 impacts self-hosted Next.js applications running versions 11.1.4 through 15.2.2, specifically when deployed using the next start command with the output: 'standalone' configuration.

‍The vulnerability is present in environments where applications rely solely on middleware-based authorization, without implementing additional server-side authentication or access control mechanisms. A key condition for exploitation is the acceptance of the x-middleware-subrequest HTTP header from external sources, which can be used by attackers to trick the application into bypassing middleware logic. Applications deployed on Vercel, Netlify, or as static exports are not vulnerable, as those environments do not expose the middleware in a way that can be exploited. The issue has been patched in the following versions: 15.2.3, 14.2.25, 13.5.9, and 12.3.5, and all users are strongly encouraged to upgrade to these or later versions to mitigate the risk.

A Comprehensive Guide to Preventing Supply Chain Attacks

Organizations need detailed visibility into their vendor ecosystems to identify and remediate supply chain vulnerabilities before cybercriminals exploit them. Learn more.

Download Now

Steps to Remediate or Mitigate the Vulnerability

To address CVE-2025-29927, consider the following actions:

  1. Update Next.js: Upgrade to the latest patched versions:​

    • For Next.js 15.x, update to version 15.2.3.​

    • For Next.js 14.x, update to version 14.2.25.

    • For Next.js 13.x, update to version 13.5.9.​

    • For Next.js 12.x, update to version 12.3.5.

  2. Implement workarounds if immediate patching isn't possible:

    • Filter incoming requests: Configure load balancers or reverse proxies to remove the x-middleware-subrequest header from incoming requests.

    • Web server configuration: For Nginx, use the proxy_set_header directive to set x-middleware-subrequest to an empty value. In Apache, utilize the RequestHeader unset directive to remove the header.

  3. Enhance authorization mechanisms:
    • Implement additional server-side authorization checks beyond middleware to validate user permissions.

Previous Notable Vulnerabilities in Next.js

Monitoring your assets and vendors using Next.js is an important part of an ongoing security program. Next.js has disclosed several vulnerabilities in the past and, like all software, will have more in the future. Examples of prior issues– and reasons to continue monitoring for Next.js vulnerabilities– include:​

  • Denial of service (DoS) with server actions (January 2025): This vulnerability could be exploited to cause service disruptions.

  • Authorization bypass in Next.js (December 2024): A high-severity flaw that allowed unauthorized access under certain conditions.

  • HTTP request smuggling (May 2024): This issue could enable attackers to interfere with the processing of HTTP requests between clients and servers. 
Reviewed by
Kaushik Sen
Kaushik Sen
Chief Marketing Officer

Ready to see
UpGuard in action?

Free trial

Ready to save time and streamline your trust management process?

Get started
Tags:
Risks and Vulnerabilities
Author
Greg Pollock
Greg Pollock
Reviewed by
Kaushik Sen
Kaushik Sen
Join 27,000+ cybersecurity newsletter subscribers

A Comprehensive Guide to Preventing Supply Chain Attacks

Organizations need detailed visibility into their vendor ecosystems to identify and remediate supply chain vulnerabilities before cybercriminals exploit them. Learn more.
Download Now
UpGuard logo
UpGuard is a complete third-party risk and attack surface management platform.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Products
Tools
Company
Insights
@2025 UpGuard, Inc.
Research GuidelinesPlatform Terms & ConditionsWebsite Terms & ConditionsPrivacyCookies