A critical vulnerability in the Next.js framework, officially disclosed on March 21, 2025, allows attackers to bypass middleware security measures by simply manipulating the header. This article discusses what is known about CVE-2025-29927, how to mitigate the risks, and how Invicti (formerly Netsparker) products help detect and confirm the presence of the vulnerability in web applications.
General information
This vulnerability (CVE-2025-29927) was confirmed by Next.js, one of the most popular React-based website frameworks.
Middleware is a processing chain that allows software modules to inspect, modify, or reroute HTTP requests before they reach the final code handler. Authentication is often implemented there.
The flaw allows a complete bypass of the Next.js functionality in the application, including critical security features such as authentication and authorization.
As of March 25, 2025, all Invicti products can detect and report the CVE.
The vulnerability affects the following versions of Next.js:
- Next.js 11.1.4 – 13.5.6 (unpatched)
- Next.js 14.x to 14.2.25
- Next.js 15.x to 15.2.3
The only reliable way to fix the vulnerability is to upgrade to a secure version. Teams can temporarily enable blocking with a WAF at the proxy level, but this is not a long-term solution.
Risk of middleware bypass in Next.js
The vulnerability allows attackers to completely bypass the middleware functionality by adding a specially crafted x-middleware-subrequest header to HTTP requests.
This issue is particularly critical because the middleware in Next.js is widely used for authentication, authorization, path rewriting, and security headers that can be easily bypassed by a malicious hacker.
Who is at risk?
If the answers to both questions are “yes”, then the application is vulnerable (if it is not updated):
- Does the website rely on the Next.js middleware to implement security features?
- Does the application start using next start with the output: ‘standalone’ configuration?
The risk is particularly high if:
- The middleware is used to verify authorization or authentication.
- The website relies on the middleware to implement security headers (such as Content Security Policy – CSP) that restrict where resources are allowed to be loaded.
- Middleware is used for path rewriting to restrict access to certain routes.
Not vulnerable:
- Applications hosted on Vercel or Netlify, as these platforms have implemented mitigations at their edge layers.
- Websites deployed as static exports (where middleware is not executed).
If the team does not know the details of Next.js usage or wants to be able to test for this vulnerability, using an automated DAST solution is a good option.
How the Next.js middleware vulnerability works
The internal header x-middleware-subrequest is used in Next.js to prevent infinite loops of recursive requests. Instead, the vulnerability allows an attacker to manipulate it so that Next.js does not execute the middleware.
The exploit differs based on the version of Node.js:
- For versions prior to 12.2: x-middleware-subrequest: pages/_middleware
- For newer versions: x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
- (or src/middleware:src/middleware:src/middleware:src/middleware:src/middleware if the src directory is used)
When this header contains the appropriate value, the middleware is completely bypassed, allowing the request to skip security checks or modifications.
How Invicti products detect CVE-2025-29927
Passive detection via traffic inspection with dynamic Software Composition Analysis (Invicti)
The vulnerability is detected by passively monitoring web traffic during scanning. Invicti Enterprise uses this method with its vulnerability database to find the flaw. This technique looks for the x-powered-by: Next.js header in responses, which indicates that the application is using Next.js. The presence of a vulnerable version is further confirmed by evaluating the next.version function in the browser’s JavaScript context to obtain the exact version.
The solution then compares this value to a continuously updated database of known CVEs and network detection signatures to determine whether the version is vulnerable.
As of March 25, 2025, this check is available in Invicti Enterprise, Standard, and Acunetix 360.
Active detection (Acunetix)
As of Monday, March 24, 2025, the check is available to all Acunetix Premium customers.
How it works:
1. Identifying Next.js middleware usage: the check first looks for the telltale signs of Next.js middleware, specifically a 307 redirect where the response body equals the location header value. This pattern is unique to Next.js middleware redirects.
2. Confirming the presence of the Next.js framework: look for the x-powered-by: Next.js. header in responses.
3. Checking with payloads:
- For newer versions (13.2.0+): middleware:middleware:middleware:middleware:middleware (and option for src)
- For versions before 12.2: pages/_middleware
- For intermediate versions (12.2 to 13.2.0): middleware
4. Additional checks:
- Sending a request with a potential bypass header – seeing if the response returns a 200 OK.
- A control request with a slightly modified header, such as Y-Middleware-Subrequest, to confirm that the redirect (307) is still happening.
- Another request with an incorrect value to confirm the correct behavior.
- Repeating the successful bypass.
5. Confirming the vulnerability after passing all stages of the check, which reduces the risk of false positives.
How to fix CVE-2025-29927
1. Updating Next.js immediately:
- 15.x → ≥ 15.2.3
- 14.x → ≥ 14.2.25
- 13.x → ≥ 13.5.9
- 12.x → ≥ 12.3.5
2. Temporary measures if immediate update is not possible:
- Blocking the x-middleware-subrequest header at the proxy or edge level (not in the middleware itself!).
- Cloudflare users can enable the appropriate WAF rule (it is currently marked as optional in the solution, as it affects third-party authentication frameworks).
Invicti thanks Rachid Allam and Yasser Allam for their research, as well as the internal teams for quickly implementing the check in one business day.
The Invicti security team continues to monitor the situation and will update information as it becomes available.
