CVE-2025-29927: Authorization Bypass in Next.js Middleware
Executive Summary
CVE-2025-29927 is a critical vulnerability affecting Next.js applications that utilize middleware for authorization. This vulnerability allows attackers to bypass authorization checks by manipulating the x-middleware-subrequest header in HTTP requests. Successful exploitation can lead to unauthorized access to protected routes and resources. The vulnerability is fixed in Next.js versions 14.2.25 and 15.2.3. A workaround involves blocking external user requests containing the x-middleware-subrequest header.
Technical Details
The vulnerability resides in how Next.js handles the x-middleware-subrequest header within its middleware system. This header is used internally by Next.js to manage subrequests during the execution of middleware. However, a flaw in the logic allows external, unauthenticated users to inject this header into their requests, effectively tricking the application into bypassing authorization checks that are implemented within the middleware.
Affected Systems:
- Next.js applications using middleware for authorization.
- Next.js versions
>= 11.1.4, <= 13.5.6 - Next.js versions
> 14.0.0, < 14.2.25 - Next.js versions
> 15.0.0, < 15.2.3
Affected Components:
The core component affected is the Next.js middleware system, specifically the logic that processes and validates incoming HTTP requests and their headers. The vulnerability is triggered when the application relies solely on the presence or absence of the x-middleware-subrequest header to determine whether a request should be subject to authorization checks.
Root Cause Analysis
The root cause of CVE-2025-29927 lies in the insufficient validation of the x-middleware-subrequest header. The Next.js middleware, intended to perform authorization, trusts the presence of this header as an indicator of an internal subrequest. Attackers can exploit this trust by adding the x-middleware-subrequest header to their malicious requests, causing the middleware to skip the necessary authorization checks.
The vulnerability arises because the middleware logic does not properly verify the origin or authenticity of requests containing the x-middleware-subrequest header. This lack of validation allows external users to impersonate internal subrequests and bypass authorization controls.
Patch Analysis
The fix for CVE-2025-29927 involves enhancing the validation of the x-middleware-subrequest header to prevent unauthorized users from bypassing authorization checks. The patch introduces a mechanism to verify the origin and authenticity of requests containing this header, ensuring that only legitimate internal subrequests are allowed to bypass authorization.
Several code patches contribute to mitigating this vulnerability. One key patch introduces a subrequest ID to correlate requests originating from middleware.
File: packages/next/src/server/lib/router-server.ts
--- a/packages/next/src/server/lib/router-server.ts
+++ b/packages/next/src/server/lib/router-server.ts
@@ -149,6 +149,12 @@ export async function initialize(opts: {
renderServer.instance =
require('./render-server') as typeof import('./render-server')
+ const randomBytes = new Uint8Array(8)
+ crypto.getRandomValues(randomBytes)
+ const middlewareSubrequestId = Buffer.from(randomBytes).toString('hex')
+ ;(globalThis as any)[Symbol.for('@next/middleware-subrequest-id')] =
+ middlewareSubrequestId
+
const requestHandlerImpl: WorkerRequestHandler = async (req, res) => {
// internal headers should not be honored by the request handler
if (!process.env.NEXT_PRIVATE_TEST_HEADERS) {
This patch generates a unique ID (middlewareSubrequestId) and stores it in the global scope. This ID will be used to identify legitimate subrequests originating from the middleware.
Another crucial patch filters internal headers, specifically the x-middleware-subrequest header, based on the presence and validity of a corresponding x-middleware-subrequest-id header.
File: packages/next/src/server/lib/server-ipc/utils.ts
--- a/packages/next/src/server/lib/server-ipc/utils.ts
+++ b/packages/next/src/server/lib/server-ipc/utils.ts
@@ -57,5 +57,16 @@ export const filterInternalHeaders = (
if (INTERNAL_HEADERS.includes(header)) {
delete headers[header]
}
+
+ // If this request didn't origin from this session we filter
+ // out the "x-middleware-subrequest" header so we don't skip
+ // middleware incorrectly
+ if (
+ header === 'x-middleware-subrequest' &&
+ headers['x-middleware-subrequest-id'] !==
+ (globalThis as any)[Symbol.for('@next/middleware-subrequest-id')]
+ ) {
+ delete headers['x-middleware-subrequest']
+ }
}
}
This code ensures that if a request includes the x-middleware-subrequest header, it must also include a valid x-middleware-subrequest-id that matches the ID generated in the initialize function. If the IDs don't match, the x-middleware-subrequest header is removed, preventing the authorization bypass.
Finally, the x-middleware-subrequest-id is added to the headers in the sandbox context:
File: packages/next/src/server/web/sandbox/context.ts
--- a/packages/next/src/server/web/sandbox/context.ts
+++ b/packages/next/src/server/web/sandbox/context.ts
@@ -365,6 +365,10 @@ Learn More: https://nextjs.org/docs/messages/edge-dynamic-code-evaluation`),
store.headers.get('x-middleware-subrequest') ?? ''
)
}
+ init.headers.set(
+ 'x-middleware-subrequest-id',
+ (globalThis as any)[Symbol.for('@next/middleware-subrequest-id')]
+ )
const prevs =
init.headers.get(`x-middleware-subrequest`)?.split(':') || []
This ensures that when a subrequest is made within the middleware, the correct ID is included in the request headers.
These patches collectively address the vulnerability by ensuring that the x-middleware-subrequest header is only honored when accompanied by a valid, matching x-middleware-subrequest-id, effectively preventing unauthorized users from bypassing authorization checks.
Exploitation Techniques
An attacker can exploit CVE-2025-29927 by crafting HTTP requests that include the x-middleware-subrequest header. If the Next.js application relies solely on the presence of this header to determine whether to apply authorization checks, the attacker can bypass these checks and gain unauthorized access to protected resources.
Attack Scenario:
- Identify a protected route: The attacker identifies a route that requires authentication or authorization, such as
/admin/dashboard. - Craft a malicious request: The attacker crafts an HTTP request to the protected route, including the
x-middleware-subrequestheader:
GET /admin/dashboard HTTP/1.1
Host: vulnerable-app.com
x-middleware-subrequest: true
- Send the request: The attacker sends the crafted request to the vulnerable Next.js application.
- Bypass authorization: Due to the presence of the
x-middleware-subrequestheader, the middleware skips the authorization checks, granting the attacker unauthorized access to the/admin/dashboardroute.
Real-World Impacts:
- Data breaches: Unauthorized access to sensitive data, such as user credentials, financial records, or confidential business information.
- Account takeover: Attackers can gain control of user accounts, allowing them to perform actions on behalf of legitimate users.
- Privilege escalation: Attackers can elevate their privileges to gain administrative access to the application, enabling them to perform critical operations or modify system configurations.
- Denial of service: Attackers can disrupt the availability of the application by flooding it with malicious requests that bypass authorization checks.
Mitigation Strategies
To mitigate CVE-2025-29927, the following strategies are recommended:
- Upgrade Next.js: Upgrade to Next.js version 14.2.25 or 15.2.3, which include the necessary patches to address the vulnerability.
- Validate
x-middleware-subrequestheader: If upgrading is not immediately feasible, implement middleware logic to validate thex-middleware-subrequestheader. This involves verifying the origin and authenticity of requests containing this header, ensuring that only legitimate internal subrequests are allowed to bypass authorization.
// Example middleware code to block requests with x-middleware-subrequest header
export function middleware(request: NextRequest) {
if (request.headers.has('x-middleware-subrequest')) {
return new Response('Unauthorized', { status: 401 });
}
return NextResponse.next();
}
export const config = {
matcher: '/admin/:path*',
};
This middleware code snippet checks for the presence of the x-middleware-subrequest header in incoming requests. If the header is present, the middleware returns a 401 Unauthorized response, effectively blocking the request. This mitigation strategy prevents attackers from bypassing authorization checks by injecting the x-middleware-subrequest header into their malicious requests.
- Implement robust authorization checks: Ensure that authorization checks are implemented consistently throughout the application, including in middleware, API routes, and server-side components. Avoid relying solely on the presence or absence of the
x-middleware-subrequestheader to determine whether to apply authorization checks. - Regular security audits: Conduct regular security audits and penetration testing to identify and address potential vulnerabilities in the application.
Timeline of Discovery and Disclosure
- 2025-03-12: Vulnerability reported.
- 2025-03-21: Patches released in Next.js versions 14.2.25 and 15.2.3.
- 2025-03-21: Public disclosure of CVE-2025-29927.