Next.js Middleware Bypass (CVE-2025-29927)
A critical vulnerability in Next.js versions before 15.2.3 allows attackers to bypass middleware-based auth checks entirely by sending a crafted internal header.
How It Works
Next.js uses an internal header `x-middleware-subrequest` to track middleware invocation depth and avoid infinite loops. Attackers discovered they could send this header from the outside to trick the framework into skipping middleware execution, bypassing any auth guard implemented in middleware.ts.
// BAD: Next.js < 15.2.3 — attacker sends:
// x-middleware-subrequest: middleware:middleware:middleware
// and this middleware is completely skipped
export function middleware(req: NextRequest) {
const token = req.cookies.get('session');
if (!token) return NextResponse.redirect('/login');
}// GOOD: upgrade Next.js to >= 15.2.3
// Also: never rely solely on middleware for auth.
// Always verify the session in the route/page itself.
export async function GET() {
const supabase = createClient();
const { data: { user } } = await supabase.auth.getUser();
if (!user) return Response.json({ error: 'Unauthorized' }, { status: 401 });
}Real-World Example
CVE-2025-29927 — publicly disclosed March 2025. Affected all Next.js versions using middleware for auth. Any app where middleware was the only auth layer was fully exposed. CVSS score: 9.1 (Critical).
How to Prevent It
- Upgrade Next.js to 15.2.3 or later immediately
- Never use middleware as your only auth layer — always add a server-side session check in pages and API routes
- Block the x-middleware-subrequest header at your CDN/proxy level as a temporary mitigation
- Run Data Hogo to detect vulnerable Next.js versions in your repo
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
dangerouslySetInnerHTML Without Sanitization
highUsing React's dangerouslySetInnerHTML with unsanitized user input allows attackers to inject malicious scripts that execute in other users' browsers.
Authentication Tokens in localStorage
highStoring JWT tokens, session tokens, or API keys in localStorage makes them accessible to any JavaScript running on the page, including XSS payloads.
__NEXT_DATA__ Secrets Exposure
highNext.js page props passed through getServerSideProps or getStaticProps leak sensitive data like API keys, database URLs, or internal configuration via the __NEXT_DATA__ script tag.
Source Maps Exposed in Production
mediumJavaScript source map files (.map) are publicly accessible in production, revealing the complete original source code including comments, variable names, and internal logic.