- nextjs
- middleware
- auth-bypass
- cve-2025-29927
- metasploit
news
Next.js Middleware Authorization Bypass Scanner (CVE-2025-29927)
x-middleware-subrequest header skips middleware auth gates on self-hosted Next.js < 12.3.5 / 13.5.9 / 14.2.25 / 15.2.3 — CVSS 9.1.
Summary
CVE-2025-29927 is a critical authorization bypass in self-hosted Next.js middleware with CVSS 9.1. Rapid7's Metasploit module auxiliary/scanner/http/nextjs_middleware_auth_bypass detects vulnerable instances.
Next.js tags internal subrequests with the x-middleware-subrequest header and skips middleware when it sees the value — but the header is trusted from external clients. An attacker supplying crafted values bypasses authentication, authorization, and redirect logic implemented in middleware.
Not CVE-2025-55182 (React2Shell / Server Components RCE) — this is a separate middleware-trust flaw discovered by zhero and inzo.
Affected self-hosted lines: < 12.3.5, < 13.5.9, < 14.2.25, < 15.2.3 (fixed in those patch releases).
Key Findings
| Finding | Detail |
|---|---|
| CVE | CVE-2025-29927 |
| Weakness | Trusted external x-middleware-subrequest header |
| Bypass payloads | Five-value recursion (middleware:middleware:…), src/middleware variants, single middleware, pages/_middleware |
| Scanner method | Differential: baseline gated path (401/403/redirect) vs same path with header |
| Module type | Detection only — does not act on bypassed response |
| Disclosure | 2025-03-21 |
Attack Chain
GET /dashboard (middleware-gated) → 401/403 or redirect to login
↓
GET /dashboard + x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
↓
Middleware skipped → protected page served (200) or redirect target changes
↓
Unauthenticated access to routes behind middleware auth
Next.js ≥ ~13.2 requires the middleware module name five times (MAX_RECURSION_DEPTH); earlier versions accept a single occurrence.
Impact
Self-hosted Next.js apps that rely on middleware for auth (dashboards, admin panels, API route gates) are fully bypassable on vulnerable builds. Vercel-hosted deployments are not affected per vendor guidance.
Mitigation
- Upgrade to 12.3.5+, 13.5.9+, 14.2.25+, or 15.2.3+ depending on your release line.
- Strip or block
x-middleware-subrequestat reverse proxy/WAF for defense in depth. - Do not rely solely on middleware for security boundaries — enforce auth in server components/API handlers too.